On Mon, 21 Jul 2014, Jaap Winius wrote:
Hi folks,
After setting up Kerberos cross-realm access and then creating a
system:authuser@<MY_REALM> group in a foreign cell, it seems that basic rl
access to the cell's contents is only possible after that group is given rl
access to every single directory that system:authuser has access to. Not very
convenient.
Is there an easy way around this, like something equivalent to making
system:authuser@<MY_REALM> a member of system:authuser?
If the two Kerberos realms involved have a unified namespace for client
principals (minus the realm name), you can configure your cell to accept
authentication from either realm by creating AFS service principals in
both realms and putting both sets of keys on the AFS servers. It is
probably a good idea to make the AFS service principals have distinct
kvnos, as this was required for 1DES keys in the KeyFile, and will be
required again for all keys in the KeyFileExt (the code on master), but is
not currently required for krb5 keys in the rxkad.keytab.
The krb.conf config file is used to specify what realms authenticate to
the cell.
This sort of configuration does require some thought and analysis of
whether it is actually applicable to your site. For example, if the two
realms involved are A.EXAMPLE.ORG and B.EXAMPLE.ORG, and j...@a.example.org
and j...@b.example.org are different people, this scheme is not
appropriate.
-Ben
_______________________________________________
OpenAFS-info mailing list
OpenAFS-info@openafs.org
https://lists.openafs.org/mailman/listinfo/openafs-info
