[OpenAFS] Re: OpenAFS and AD trusts

Danko Antolovic dantolov@indiana.edu
Fri, 15 Jul 2011 15:58:12 -0400


Jeff,
What do you mean by:  "... you need to add groups for foreign realms
(system:authuser@FOREIGN.REALM) for each realm that you want to accept
users from." ? =20

If I understand the documentation correctly, there needs to be one =
group,
named precisely system:authuser@FOREIGN.REALM, which will contain all =
the
users from foreign realms:

" Enable automatic registration for users in the foreign cell. This may =
be
done by creating a cross-realm trust in the Kerberos Database. Then add =
a
PTS group named system:authuser@FOREIGN.REALM and give it a group quota
greater than the number of foreign users expected to be registered."

http://docs.openafs.org/AdminGuide/ch02s03.html

Also, on a na=EFve note, how do you create a group with the ownership
"system"? I am working as an admin, of course, but  pts creategroup =
throws
up the message "Badly formed name (group prefix doesn't match owner?)"
regardless of what I do.

Danko=20


-----Original Message-----
From: openafs-info-admin@openafs.org =
[mailto:openafs-info-admin@openafs.org]
On Behalf Of Jeffrey Altman
Sent: Monday, July 11, 2011 8:32 PM
To: openafs-info@openafs.org
Subject: Re: [OpenAFS] Re: OpenAFS and AD trusts

What you want to accomplish is fine but all of your users will be
foreign identities in the AFS Protection database.

  john@iu.edu
  jane@school1.edu
  jack@school2.edu

etc and you need to add groups for foreign realms
(system:authuser@FOREIGN.REALM) for each realm that you want to accept
users from.

Another thing that is critical is that the DNS host names of the afs
vldb servers be in the resource.net domain.  It must be possible for
aklog (or other tools) to perform a domain to realm mapping from the
VLDB server host name to the Kerberos realm that contains the AFS
service principal.

Jeffrey Altman


On 7/11/2011 8:23 PM, Danko Antolovic wrote:
> Andrew and Derrick,
>=20
> Thanks, but let me clarify: I am trying to separate the administrative
part
> of managing many user databases from the proper functions of the AFS
server.
>=20
> I want to have multiple domains like IU.EDU (school1.edu, school2.edu
...),
> providing user creds for a single AFS installation.  I could list them =
all
> in /usr/afs/etc/krb.conf, make all the asetkeys etc., but the idea is =
to
> have the AD manage multiple domains via trusts to RESOURCE.NET, and =
have
AFS
> be aware of one domain only (you can see how this would be useful in =
the
> case of many different services, all authenticating through =
RESOURCE.NET).

>=20
> In principle, a kerberizable service should be able to function like =
that;
> my question is whether AFS can do it.
>=20
> There is also the issue of the local (AFS) user namespace, but I am =
taking
> one step at a time.
>=20
> Thanks,
>=20
> Danko Antolovic