[OpenAFS] the mac quandry with 2 realms
Douglas E. Engert
Thu, 15 Jul 2010 14:04:46 -0500
On 7/14/2010 11:32 AM, David Bear wrote:
> We have an issue that we haven't found a good solution for on mac osX.
> We have BOTH a kerberos realm called 'asu.edu <http://asu.edu>', and an
> active directory domain called asurite. Our afs identities are all in
> the asu.edu <http://asu.edu> realm. We also have cifs space that
> requires authentication tokens from the asurite domain.
> We can configure the make to do kerberos auth to the asu.edu
> <http://asu.edu> realm -- and automatically get afs tokens in the
> request, and access afs. However, configuring the mac that way precludes
> our ability to get an authentication token in the asurite domain, and
> therefore prevents us from accessing cifs.
> Or, we can join the mac to the asurite (active directory) domain, and
> use cifs, and face similar issues of not being able to get afs tokens to
> get in to afs space.
I don't have a Mac to try this on, but if you can't use cross realm
for some reason, have you tried adding the ASU.EDU realm to the
/Library/Preferences/edu.mit.kerberos file leaving the default
realm pointing at asurite, then use:
klog.krb5 user -k ASU.EDU
If that does not work, have you tried something like:
where the krb5.conf has the default realm set to ASU.EDU.
You could make this into a script.
> Finally, we can leave the mac stand alone - not configuring it for any
> realm/domain authentication, and then use klog to get afs tokens and use
> the mac prompt for accessing cifs to get authentication tokens from the
> asurite domain.
> I am wondering what other mac osx users are experiencing with wanting to
> use both afs and cifs -- and if there is a best practice and perhaps
> other tools (scripts?) that make cifs and afs more peacefully coexist on
> David Bear
> College of Public Programs at ASU
Douglas E. Engert <DEEngert@anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439