[OpenAFS] Re: OS X Lion: multiple Kerberos realms ?

Andrew Deason adeason@sinenomine.net
Wed, 18 Jul 2012 12:50:15 -0500


On Wed, 18 Jul 2012 13:25:11 -0400
"Gabriel L. Somlo" <gsomlo@gmail.com> wrote:

> I guess the currently available solution is to either
> 
>
> 	1. work a political miracle and get a Unix kerberos
> 	   service principal for Samba, then use just the Unix
> 	   realm.

If I'm understanding your scenario right, I think you are missing two
other options:

3. Create an AFS service principal in the AD realm.

4. Create a cross-realm trust between the two realms. The AFS service
principal lives in the Unix realm, and the users get tickets for AD.

Both of these let you authenticate to AFS while having tickets only for
AD.

-- 
Andrew Deason
adeason@sinenomine.net