[OpenAFS] OS X Lion: multiple Kerberos realms ?

Gabriel L. Somlo gsomlo@gmail.com
Wed, 18 Jul 2012 13:25:11 -0400


On Wed, Jul 18, 2012 at 12:55:13PM -0400, Brandon Allbery wrote:
> On Wed, Jul 18, 2012 at 12:45 PM, Gabriel L. Somlo <gsomlo@gmail.com> wrote:
> 
> > I can easily (via kinit, or the Ticket Viewer) acquire tickets for any
> >
> 
> Via kinit?  Really?

Heh, yeah. Not knowing it's "not supposed to" work, I tried, and I got
tickets for both realms to show up in the viewer. True, klist will
only show one (whichever was acquired last), but once I have the
tickets, I can map Samba shares and work in AFS simultaneously,
without any apparent problems.

> Kerberos doesn't really have a good way t deal with multiple realms.
>  Apple's modified Kerberos tries to work around this (so it *does* sort of
> work from Ticket Viewer) but the standard Kerberos APIs don't provide ways
> to specify the realm credentials to use.  This means (a) not much if any
> support from login, and (b) programs like Samba and OpenAFS can only see
> the currently selected credentials in Ticket Viewer, not all of them.

OK, so I'm obviously trying to work around a political problem with
technology, which usually involves a fair amount of pain :) I can buy
(a) above -- I didn't know that, and it was basically my original
question if/how I can get that to work. However, (b) seems to work just
fine.

> I will also note that this would only work "well" at login if you used the
> same password in both realms, which is a very bad idea and possibly a
> security violation.

OK, to provide an explanation for this: there's a Unix Kerberos realm,
and an AD one within the same org. The passwords are synchronized
across the two realms (for that old "single-sign-on" feeling). It's
easy (and supported) to join a Samba server to the AD domain (and
require users to have AD kerb tickets to map shares). It's not easy
to get a cifs service principal from the Unix Kerberos side
(organizationally speaking, not talking about the technical act of
generating the service principal).

The path of least resistance appeared to be to acquire two sets of
tickets and move on, except now you're telling me that it's a mere
accident it even works to begin with, forget about automating it at
login :)

I guess the currently available solution is to either

	1. work a political miracle and get a Unix kerberos
	   service principal for Samba, then use just the Unix
	   realm.

or

	2. pick a realm (either AD or Unix) to authenticate against
	   at login, and leave users with having to enter their
	   password again whenever they attempt to connect to AFS or
	   Samba, respectively (whichever service authenticated by the
	   *other* realm)

Obviously, the technically sound way would be #1 (which is what Jeffrey
also suggested), but I was hoping I can avoid an (unfortunately much more
likely) #2...

Thanks,
--Gabriel