[OpenAFS] Re: OS X Lion: multiple Kerberos realms ?
Thu, 19 Jul 2012 10:50:45 +0200 (CEST)
>> 1. work a political miracle and get a Unix kerberos
>> service principal for Samba, then use just the Unix
> If I'm understanding your scenario right, I think you are missing two
> other options:
> 3. Create an AFS service principal in the AD realm.
> 4. Create a cross-realm trust between the two realms. The AFS service
> principal lives in the Unix realm, and the users get tickets for AD.
> Both of these let you authenticate to AFS while having tickets only for
As we have the same situation at KTH that the keeper of the AD will not
do such things unless pigz fliez, I understand Gabriel's problem. I have
been juggling with small scripts that do set KRB5CCNAME, then authenticate
without afslog and then afslog to a specific cell in that tokens context
for years. But it still fails in situations where a program expects to
have its credentials in a single KRB5CCNAME like thunderbird towards
So what tools do we have for "alien" multi realm scenarios?