[OpenAFS] Two realms and one cell

Ken Dreyer ktdreyer@ktdreyer.com
Wed, 9 Jul 2014 13:49:14 -0600


On Thu, Jul 3, 2014 at 5:59 AM, Harald Barth <haba@kth.se> wrote:
>
>> A little question. We have one AFS cell myrealm.fr and a Kerberos
>> realm myrealm.fr. We must use our AFS cell with a another realm named
>> otherrealm.fr. There is no trusted relations between myrealm.fr and
>> otherrealm.fr. Is it possible ?
>
> If you don't trust otherrealm.fr enough to establish cross-realm, you
> probably don't trust otherrealm.fr enough to give them a set of AFS
> service keys for your servers.

There is another way of looking at it: let's say one realm is
incredibly bureaucratic and managed by administrators in an entirely
different part of the organization. The other realm is managed by the
same group of people who manage the AFS cell. There will never be a
cross-realm trust relationship because the people don't trust each
other and never will :)

- Ken