[OpenAFS] does cross-realm aklog require REQUIRES_PRE_AUTH attribute?

Adam Megacz megacz@cs.berkeley.edu
Sat, 05 May 2007 12:48:12 -0700


I've found that when doing cross-realm trust between two AFS cells
(both in MIT KDC realms), the foreign-realm principal trying to
acquire tokens in the local realm must have REQUIRES_PRE_AUTH as an
attribute in his/her realm in order for aklog to work.

Is this to be expected, or is it a side effect of some mistake I made?

If this is the case ("cross-realm only works when REQUIRES_PRE_AUTH is
enabled") I can arrange for that attribute to be turned on for all the
necessary users.  I just wanted to see if it was necessary before
asking for this to be done, and perhaps understand why it is necessary.

Thanks,

  - a

-- 
PGP/GPG: 5C9F F366 C9CF 2145 E770  B1B8 EFB1 462D A146 C380