[OpenAFS] Re: Active Directory Kerberos ticket allowing to access
OpenAFS cell?
Douglas E. Engert
deengert@anl.gov
Wed, 02 Nov 2011 13:22:34 -0500
On 11/2/2011 11:51 AM, Andrew Deason wrote:
> On Wed, 2 Nov 2011 17:17:20 +0100
> stasheck<stasheck.fora@gmail.com> wrote:
>
>> What I know, what I need:
> [...]
>> - I can form mutual trust relationship between MIT and AD (did that to
>> test some previous ideas)
>
> This isn't strictly necessary, though it may be the easier way to go,
> depending on your relationship with AD. You can set up the MIT and AD
> realms as just completely separate realms that both have access to AFS.
> Just set up each one as if it were the only realm, add the afs service
> principal for each realm to the afs KeyFile,
Make sure they have different key version numbers, as the KeyFile only
stores the kvno and key.
and put both realms in
> /usr/afs/etc/krb.conf.
>
--
Douglas E. Engert <DEEngert@anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444