Yeah, it sounds very much like what we are needing to do... I'll still need to modify kerberos and ssh (since I don't see any way to get krb login or ssh to accept login for X from more than one different realm) - but not having to modify AFS on the clients is a big plus.
-- Nathan ------------------------------------------------------------ Nathan Neulinger EMail: [EMAIL PROTECTED] University of Missouri - Rolla Phone: (573) 341-6679 UMR Information Technology Fax: (573) 341-4216 > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Mark Montague > Sent: Wednesday, September 22, 2004 10:20 AM > To: [EMAIL PROTECTED] > Subject: Re: [OpenAFS-devel] Anyone supporting multiple > realms in a "all realms are equal" type of setup? > > On Wed, 22 Sep 2004, Neulinger, Nathan wrote: > > > I have a scenario that I'm needing to treat 5 or 6 > different kerberos > > realms as equivalent for access to AFS even though they > have different > > sets of users in them. Other requirement is that users not > have to type > > in the full "[EMAIL PROTECTED]" for acling. > > Not sure if this is exactly what you want, but the lsa.umich.edu > cell accepts Kerberos credentials from either the LSA.UMICH.EDU > Kerberos realm or the UMICH.EDU Kerberos realm when issuing > tokens for the lsa.umich.edu cell. No changes to SSH, Kerberos, > PAM, SSH, or anything else on the client side were necessary for > this (aside from the fact that you'll need to use kinit+aklog > instead of klog in order to present the Kerberos tickets to AFS). > You'll need an appropriate AFS principal added to your Kerberos > server (afs/[EMAIL PROTECTED] -- e.g., afs/[EMAIL PROTECTED]). > On the AFS server, implementing this requires creating a > /usr/afs/etc/krb.conf file with the appropriate realm(s), > and adding a key for the other Kerberos realm's AFS principal > to your /usr/afs/etc/KeyFile so that the AFS server will > trust the other Kerberos realm. > > This scheme uses the PTS users of the local cell, so users > never have to type "[EMAIL PROTECTED]" for anything. But it does > mean that all users from the other Kerberos realms will need > to be added to your local cell's PTS database, things are > not "automatic" in this regard. > > Note that I did not do the work described above in our > environment, but if this sounds useful to you I can get > you the complete list of steps we followed and put you in > touch with the right people here. > > Mark Montague > LS&A Information Technology > The University of Michigan > [EMAIL PROTECTED] > > _______________________________________________ > OpenAFS-devel mailing list > [EMAIL PROTECTED] > https://lists.openafs.org/mailman/listinfo/openafs-devel > > _______________________________________________ OpenAFS-devel mailing list [EMAIL PROTECTED] https://lists.openafs.org/mailman/listinfo/openafs-devel
