[OpenAFS] multi-realm support (was: asetkey: failed to set key, code 70354694)

[Christopher D. Clausen]

Derrick J Brashear <shadow@dementia.org> wrote:
> On Mon, 9 Apr 2007, Christopher D. Clausen wrote:
>> That is assuming you don't have more than X Kerberos realms that you
>> want to use for an afs service principal.  And if you want to change
>> the afs service principal in all trusted realms, you could end up
>> needing 2X "slots" in the KeyFile.
>>
>> Is there a specific reason for the limit?  It seems arbitrary to me.
>
> Linear search. Otherwise no. The current realm limit is lower than
> that anyway in 1.5 and is basically 2 in 1.4, unless they all have
> the same realm name, unless you're being really tricky anyway.

What is the current realm limit in 1.5?

I am using 2 realms now with 1.4.  Using an MIT realm and an Active 
Directory realm with a single cell.  The MIT realm name "matches" the 
cell, the AD realm is different.  (For the record, its seems that one 
must list the "foreign" realm first in krb.conf in order to get the 
multile realm support to actually work.  Not sure if that is a feature 
or a bug.)

I'd hate to see multi-realm support turn into two-realm support or 
three-realm support.  I guess its better than nothing, but again seems 
arbitrary.  I know one could simply design the Kerberos realms better to 
avoid needing so many realms, but sometimes that is out of the control 
of the AFS administrator.

<<CDC