[OpenAFS] Re: One cell with multiple Kerberos realms

Andrew Deason adeason@sinenomine.net
Wed, 9 Nov 2011 10:10:41 -0600


On Wed, 9 Nov 2011 10:21:47 +0000
Owen Le Blanc <LeBlanc@man.ac.uk> wrote:

> I've seen two presentations in which it was mentioned that it is
> possible to set up an AFS cell with more than one Kerberos realm.  We
> are in  a situation in which this might prove useful, and I was
> wondering whether there is any more information about this.  Has
> anyone any experience with it?  How is it done?  I haven't found
> anything about it in the wiki.

Assuming you consider username@REALM1 and username@REALM2 to both be the
user "username", it's not very complex. (Getting some of the pieces to
work, especially with Active Directory, can be annoying, but the
conceptual steps involved are straightforward.)

The only OpenAFS-specific configuration that's really special about this
case is configuring krb.conf:
<http://docs.openafs.org/Reference/5/krb.conf.html>. For everything
else, you generally do the same thing as setting up a single krb5 realm.
You can either:

  - Have two separate afs/cell@REALM1 and afs/cell@REALM2 principals,
    and set them up as you would normally for a single-realm setup.
    When you get to the point of adding the keytab to the AFS KeyFile,
    just make sure they have different kvnos.

  - Have a single afs/cell@REALM1 principal, and set up a cross-realm
    trust between REALM1 and REALM2. Clients in REALM2 need to know that
    they need to go to REALM1 to get the afs/cell service princ, but if
    you have your domain_realm mappings and such set correctly, this
    should work without too much fuss.

-- 
Andrew Deason
adeason@sinenomine.net