[OpenAFS] Re: OpenAFS and AD trusts

Jeffrey Altman jaltman@secure-endpoints.com
Mon, 11 Jul 2011 20:32:11 -0400


This is an OpenPGP/MIME signed message (RFC 2440 and 3156)
--------------enig2B5E74D0D4B5B770FE56B70C
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

What you want to accomplish is fine but all of your users will be
foreign identities in the AFS Protection database.

  john@iu.edu
  jane@school1.edu
  jack@school2.edu

etc and you need to add groups for foreign realms
(system:authuser@FOREIGN.REALM) for each realm that you want to accept
users from.

Another thing that is critical is that the DNS host names of the afs
vldb servers be in the resource.net domain.  It must be possible for
aklog (or other tools) to perform a domain to realm mapping from the
VLDB server host name to the Kerberos realm that contains the AFS
service principal.

Jeffrey Altman


On 7/11/2011 8:23 PM, Danko Antolovic wrote:
> Andrew and Derrick,
>=20
> Thanks, but let me clarify: I am trying to separate the administrative =
part
> of managing many user databases from the proper functions of the AFS se=
rver.
>=20
> I want to have multiple domains like IU.EDU (school1.edu, school2.edu .=
=2E.),
> providing user creds for a single AFS installation.  I could list them =
all
> in /usr/afs/etc/krb.conf, make all the asetkeys etc., but the idea is t=
o
> have the AD manage multiple domains via trusts to RESOURCE.NET, and hav=
e AFS
> be aware of one domain only (you can see how this would be useful in th=
e
> case of many different services, all authenticating through RESOURCE.NE=
T).=20
>=20
> In principle, a kerberizable service should be able to function like th=
at;
> my question is whether AFS can do it.
>=20
> There is also the issue of the local (AFS) user namespace, but I am tak=
ing
> one step at a time.
>=20
> Thanks,
>=20
> Danko Antolovic


--------------enig2B5E74D0D4B5B770FE56B70C
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)

iQEcBAEBAgAGBQJOG5YOAAoJENxm1CNJffh4ejUIAIVX6d77252o4hrz+4qyRHe2
goFGwcz4GSQBGZYSMl7FvKkEuZ/hnQ4/QflnQVJQ3TjAxHt36RtUkuUBz3v0Uk/C
oFSWBJLS5L0Wgw9cG7lIViB4clYGFQjIQoskuFRsccnMlCvcIukap2cuHQmn9Vl8
pkbBx2/Dg6d0Y0Wlzvnp5WBS4efsKO0BayvNojfRO8GRTGNm7EC2dk14MfVZa+VC
DRjlw04alsc3Ws8+O7fhuvYuXE8zE6Mfb3cT8wzm/DaYjywtIaCQIjHfZpsxQ4dm
9XI5IWsyBbECBCNNBfM/RwYLKQkScvFKAyfE0dlNbBDvM0F7RnhwNBUIs9DPvQQ=
=tcsb
-----END PGP SIGNATURE-----

--------------enig2B5E74D0D4B5B770FE56B70C--