"Danko Antolovic" <danto...@indiana.edu> writes: > Thanks, but let me clarify: I am trying to separate the administrative > part of managing many user databases from the proper functions of the > AFS server.
> I want to have multiple domains like IU.EDU (school1.edu, school2.edu > ...), providing user creds for a single AFS installation. I could list > them all in /usr/afs/etc/krb.conf, make all the asetkeys etc., but the > idea is to have the AD manage multiple domains via trusts to > RESOURCE.NET, and have AFS be aware of one domain only (you can see how > this would be useful in the case of many different services, all > authenticating through RESOURCE.NET). AFS goes off of the expressed principal in the service ticket for AFS, so you need to do one of two things: 1) Put all of your user principals who will use AFS inside a single IU.EDU domain (or some subdomain, but they all have to be in one domain). You can still put hosts and other principals that don't need AFS access in other domains, and of course use domain trust, but all the users would have to log on to the single designated domain. (That's what we do at Stanford, roughly.) 2) Configure AFS to be aware of all of the subdomains and treat them all as equivalent to the local domain. Note that in order to do this you will need to ensure there are no namespace conflicts; in other words, the username "foo" has to be unique across all the trusted domains. You can't have it be a different person in two different domains. Later versions of AFS will be able to do other, more useful things, but we're not there yet. Even if you do #2, you will still need to set up cross-realm trust. But trust alone doesn't fix the problem; you need both trust and some sort of user mapping for AFS, and right now only the krb.conf user mapping is available (at least without source code modifications). -- Russ Allbery (r...@stanford.edu) <http://www.eyrie.org/~eagle/> _______________________________________________ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info