[OpenAFS] Cross-realm access

[Benjamin Kaduk]

On Mon, 21 Jul 2014, Jaap Winius wrote:

> Hi folks,
>
> After setting up Kerberos cross-realm access and then creating a 
> system:authuser@<MY_REALM> group in a foreign cell, it seems that basic rl 
> access to the cell's contents is only possible after that group is given rl 
> access to every single directory that system:authuser has access to. Not very 
> convenient.
>
> Is there an easy way around this, like something equivalent to making 
> system:authuser@<MY_REALM> a member of system:authuser?

If the two Kerberos realms involved have a unified namespace for client 
principals (minus the realm name), you can configure your cell to accept 
authentication from either realm by creating AFS service principals in 
both realms and putting both sets of keys on the AFS servers.  It is 
probably a good idea to make the AFS service principals have distinct 
kvnos, as this was required for 1DES keys in the KeyFile, and will be 
required again for all keys in the KeyFileExt (the code on master), but is 
not currently required for krb5 keys in the rxkad.keytab.

The krb.conf config file is used to specify what realms authenticate to 
the cell.

This sort of configuration does require some thought and analysis of 
whether it is actually applicable to your site.  For example, if the two 
realms involved are A.EXAMPLE.ORG and B.EXAMPLE.ORG, and joe@A.EXAMPLE.ORG 
and joe@B.EXAMPLE.ORG are different people, this scheme is not 
appropriate.

-Ben