> Can a user logged in at his/her local cell get a token for a foreign
> cell without logging to the foreign cell ? Can ACL contain rights
> for users of foreign cells ? I am really asking that if AFS support
> something like Kerberos inter-realm authentication ?
>
> If so, is there any document available ?
I know that code exists to do this... We have it running here at MIT.
It was developed at CMU, I know. I don't know what Transarc is doing
with it. Supposedly there is going to be another "3.2" release (3.2a,
I think) which should have this code in it, but I can't be sure.
A few things about it.... First, you need to have a shared key with
any other sites you want to share information. If you are using MIT
Kerberos, you can just use "aklog", normally, and it will do the right
thing. However, if you are running a kaserver, then you will need to
run a program called "cklog", which was developed at CMU, which I
expanded to incorporate the MIT AFS view of the world.
This works by creating a group "system:authuser@remote-realm" in your
local cell, and then giving it a group quota. That group quota is the
number of people who can create pts IDs for themselves from that
realm. When someone creates their ID, by either running cklog, or
running aklog and then pts cu, the ptserver will allocate the space
for them in your cell, and they can then be added to acls and groups.
I hope this helps you some, and I hope Transarc will put this in the
next release....
-derek
