[OpenAFS] Re: OpenAFS and AD trusts
Mon, 11 Jul 2011 20:32:11 -0400
This is an OpenPGP/MIME signed message (RFC 2440 and 3156)
Content-Type: text/plain; charset=UTF-8
What you want to accomplish is fine but all of your users will be
foreign identities in the AFS Protection database.
etc and you need to add groups for foreign realms
(system:authuser@FOREIGN.REALM) for each realm that you want to accept
Another thing that is critical is that the DNS host names of the afs
vldb servers be in the resource.net domain. It must be possible for
aklog (or other tools) to perform a domain to realm mapping from the
VLDB server host name to the Kerberos realm that contains the AFS
On 7/11/2011 8:23 PM, Danko Antolovic wrote:
> Andrew and Derrick,
> Thanks, but let me clarify: I am trying to separate the administrative =
> of managing many user databases from the proper functions of the AFS se=
> I want to have multiple domains like IU.EDU (school1.edu, school2.edu .=
> providing user creds for a single AFS installation. I could list them =
> in /usr/afs/etc/krb.conf, make all the asetkeys etc., but the idea is t=
> have the AD manage multiple domains via trusts to RESOURCE.NET, and hav=
> be aware of one domain only (you can see how this would be useful in th=
> case of many different services, all authenticating through RESOURCE.NE=
> In principle, a kerberizable service should be able to function like th=
> my question is whether AFS can do it.
> There is also the issue of the local (AFS) user namespace, but I am tak=
> one step at a time.
> Danko Antolovic
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)
-----END PGP SIGNATURE-----