The AFS releases as recent as 3.2a have had the cross-cell server code
in them. The only difficulty is in actually getting the cross-cell
token.
There are two ways to do this. One is to use the MIT aklog program,
which uses the MIT Kerberos protocol to get an AFS ticket for the
appropriate cell and turns it into a token.
The other possibility is to use cklog, which is a program originally
written at CMU, which takes a tokens from one cell and requests a
token from another cell. I don't know too much about this program
(although I did help on it some ;-).
I don't know if there are any papers on this or not. It requires that
the two cells have a shared key between them, but I think there is a
kaserver bug that might not allow this to work all the time (this bug
might have been fixed, I don't recall).
If you have two realms, A and B, then you need to have a shared key.
This involves creating a password that both A and B know, and then in
A's authentication database (Kerberos or kaserver), you create the key
"krbtgt.B", and in B's realm you create "krbtgt.A", where the '.'
denotes the boundary between principal and instance. The password
(actually the key that corresponds to the password) needs to be the
same in both realms, and the kvno (Key Version Number) also needs to
be the same.
If you have any more questions, feel free to ask. I hope I helped.
-derek
Derek Atkins, SB '93 MIT EE, G MIT Media Laboratory
Secretary, MIT Student Information Processing Board (SIPB)
PGP key available from [EMAIL PROTECTED]
[EMAIL PROTECTED] PP-ASEL N1NWH
