[OpenAFS] the mac quandry with 2 realms
David Bear
David.Bear@asu.edu
Wed, 14 Jul 2010 09:32:43 -0700
--005045015c63011a7f048b5b89d6
Content-Type: text/plain; charset=UTF-8
We have an issue that we haven't found a good solution for on mac osX. We
have BOTH a kerberos realm called 'asu.edu', and an active directory domain
called asurite. Our afs identities are all in the asu.edu realm. We also
have cifs space that requires authentication tokens from the asurite
domain.
We can configure the make to do kerberos auth to the asu.edu realm -- and
automatically get afs tokens in the request, and access afs. However,
configuring the mac that way precludes our ability to get an authentication
token in the asurite domain, and therefore prevents us from accessing cifs.
Or, we can join the mac to the asurite (active directory) domain, and use
cifs, and face similar issues of not being able to get afs tokens to get in
to afs space.
Finally, we can leave the mac stand alone - not configuring it for any
realm/domain authentication, and then use klog to get afs tokens and use the
mac prompt for accessing cifs to get authentication tokens from the asurite
domain.
I am wondering what other mac osx users are experiencing with wanting to use
both afs and cifs -- and if there is a best practice and perhaps other tools
(scripts?) that make cifs and afs more peacefully coexist on osX.
--
David Bear
College of Public Programs at ASU
602-494-0424
--005045015c63011a7f048b5b89d6
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
We have an issue that we haven't found a good solution for on mac osX. =
We have BOTH a kerberos realm called '<a href=3D"http://asu.edu">asu.ed=
u</a>', and an active directory domain called asurite. Our afs identiti=
es are all in the <a href=3D"http://asu.edu">asu.edu</a> realm. We also hav=
e cifs space that requires authentication tokens from the asurite domain.=
=C2=A0<div>
<br></div><div>We can configure the make to do kerberos auth to the <a href=
=3D"http://asu.edu">asu.edu</a> realm -- and automatically get afs tokens i=
n the request, and access afs. However, configuring the mac that way preclu=
des our ability to get an authentication token in the asurite domain, and t=
herefore prevents us from accessing cifs.</div>
<div><br></div><div>Or, we can join the mac to the asurite (active director=
y) domain, and use cifs, and face similar issues of not being able to get a=
fs tokens to get in to afs space.</div><div><br></div><div>Finally, we can =
leave the mac stand alone - not configuring it for any realm/domain authent=
ication, and then use klog to get afs tokens and use the mac prompt for acc=
essing cifs to get authentication tokens from the asurite domain.</div>
<div><br></div><div>I am wondering what other mac osx users are experiencin=
g with wanting to use both afs and cifs -- and if there is a best practice =
and perhaps other tools (scripts?) that make cifs and afs more peacefully c=
oexist on osX.</div>
<div><br><div><br>-- <br>David Bear<br>College of Public Programs at ASU<br=
>602-494-0424<br>
</div></div>
--005045015c63011a7f048b5b89d6--