[OpenAFS] Re: OS X Lion: multiple Kerberos realms ?
Harald Barth
haba@kth.se
Thu, 19 Jul 2012 10:50:45 +0200 (CEST)
>> 1. work a political miracle and get a Unix kerberos
>> service principal for Samba, then use just the Unix
>> realm.
>
> If I'm understanding your scenario right, I think you are missing two
> other options:
>
> 3. Create an AFS service principal in the AD realm.
>
> 4. Create a cross-realm trust between the two realms. The AFS service
> principal lives in the Unix realm, and the users get tickets for AD.
>
> Both of these let you authenticate to AFS while having tickets only for
> AD.
As we have the same situation at KTH that the keeper of the AD will not
do such things unless pigz fliez, I understand Gabriel's problem. I have
been juggling with small scripts that do set KRB5CCNAME, then authenticate
without afslog and then afslog to a specific cell in that tokens context
for years. But it still fails in situations where a program expects to
have its credentials in a single KRB5CCNAME like thunderbird towards
different realms.
So what tools do we have for "alien" multi realm scenarios?
Harald.