[OpenAFS] Re: other-realm groups in ACLs?
Derrick Brashear
shadow@gmail.com
Mon, 17 Mar 2008 16:21:15 -0400
On Mon, Mar 17, 2008 at 4:17 PM, Adam Megacz <megacz@cs.berkeley.edu> wrote:
>
> Jeffrey Altman <jaltman@columbia.edu> writes:
> > Please clarify what you are asking. Are you asking if you can use
> > the group definitions from cell A on ACLs in cell B?
>
> Yes.
>
>
> "Derrick Brashear" <shadow@gmail.com> writes:
> > No. And my server has no creds to do a lookup in your realm
>
> Sorry, I should have indicated that I was assuming a cross-realm trust
> between the "home" kerberos realms of the two cells.
>
Still not sufficient. The server doesn't run with a Kerberos ticket.
It can't talk to a KDC.
And if it could it would have the Zephyr cross-realm problem. (RPC
callers block while I try to talk to a foreign KDC that's down.
"oops")