[OpenAFS] single OpenAFS cell and multiple/different kerberos realms

Harald Barth haba@kth.se
Wed, 28 Jan 2015 08:13:01 +0100 (CET)

> In order for user@B to obtain afs/cellname@A there must be a cross-realm
> relationship between A and B.
> The other way to obtain a token for "cellname" is to add a service
> principal afs/cellname@B to realm B and then export the key and add it
> in addition to the key from afs/cellname@A to the AFS cell.

That summarizes it quite well. I think you must at least put the
krbtgt/A@B into B which means that A trusts B or the afs/a@B into
B which means that the AFS servers in a trust B.

If you only can get user- (and not service-) principals into B, you