[OpenAFS] multi-realm support (was: asetkey: failed to set key, code 70354694)
Christopher D. Clausen
Mon, 9 Apr 2007 13:50:19 -0500
Derrick J Brashear <email@example.com> wrote:
> On Mon, 9 Apr 2007, Christopher D. Clausen wrote:
>> That is assuming you don't have more than X Kerberos realms that you
>> want to use for an afs service principal. And if you want to change
>> the afs service principal in all trusted realms, you could end up
>> needing 2X "slots" in the KeyFile.
>> Is there a specific reason for the limit? It seems arbitrary to me.
> Linear search. Otherwise no. The current realm limit is lower than
> that anyway in 1.5 and is basically 2 in 1.4, unless they all have
> the same realm name, unless you're being really tricky anyway.
What is the current realm limit in 1.5?
I am using 2 realms now with 1.4. Using an MIT realm and an Active
Directory realm with a single cell. The MIT realm name "matches" the
cell, the AD realm is different. (For the record, its seems that one
must list the "foreign" realm first in krb.conf in order to get the
multile realm support to actually work. Not sure if that is a feature
or a bug.)
I'd hate to see multi-realm support turn into two-realm support or
three-realm support. I guess its better than nothing, but again seems
arbitrary. I know one could simply design the Kerberos realms better to
avoid needing so many realms, but sometimes that is out of the control
of the AFS administrator.