[OpenAFS] Re: OpenAFS and AD trusts
Russ Allbery
rra@stanford.edu
Mon, 11 Jul 2011 17:30:06 -0700
"Danko Antolovic" <dantolov@indiana.edu> writes:
> Thanks, but let me clarify: I am trying to separate the administrative
> part of managing many user databases from the proper functions of the
> AFS server.
> I want to have multiple domains like IU.EDU (school1.edu, school2.edu
> ...), providing user creds for a single AFS installation. I could list
> them all in /usr/afs/etc/krb.conf, make all the asetkeys etc., but the
> idea is to have the AD manage multiple domains via trusts to
> RESOURCE.NET, and have AFS be aware of one domain only (you can see how
> this would be useful in the case of many different services, all
> authenticating through RESOURCE.NET).
AFS goes off of the expressed principal in the service ticket for AFS, so
you need to do one of two things:
1) Put all of your user principals who will use AFS inside a single IU.EDU
domain (or some subdomain, but they all have to be in one domain). You
can still put hosts and other principals that don't need AFS access in
other domains, and of course use domain trust, but all the users would
have to log on to the single designated domain. (That's what we do at
Stanford, roughly.)
2) Configure AFS to be aware of all of the subdomains and treat them all
as equivalent to the local domain. Note that in order to do this you
will need to ensure there are no namespace conflicts; in other words,
the username "foo" has to be unique across all the trusted domains.
You can't have it be a different person in two different domains.
Later versions of AFS will be able to do other, more useful things, but
we're not there yet.
Even if you do #2, you will still need to set up cross-realm trust. But
trust alone doesn't fix the problem; you need both trust and some sort of
user mapping for AFS, and right now only the krb.conf user mapping is
available (at least without source code modifications).
--
Russ Allbery (rra@stanford.edu) <http://www.eyrie.org/~eagle/>