Derrick J Brashear wrote: > On Tue, 2 May 2006, Christopher D. Clausen wrote: > >> Jeffrey Altman <[EMAIL PROTECTED]> wrote: >>> The OpenAFS Gatekeepers announce the availability of OpenAFS >>> Development version 1.5.1 . >>> [snip] >>> >>> (3) partial support for multiple Kerberos realms mapping to a single >>> cell has been added to servers. >> >> Are there more details on this multiple Kerberos realm support >> somewhere? > > List them in /usr/afs/etc/krb.conf, one per line
Correction. The realms are white space separated on the first line
of the /usr/afs/etc/krb.conf file. The format of the file is
compatible with the Kerberos IV krb.conf file. This file format
has one or more realms on the first line and subsequent lines in
the file contain kdc listings. OpenAFS ignores the kdc listings
and only pays attention to the first realms listed on the first line.
Each realm listed in the krb.conf file is considered a local realm.
Authenticated principals belonging to a local realm are treated as
local cell usernames. For example, if the krb.conf file contains
the realm names:
EXAMPLE.COM AD.EXAMPLE.COM
then the principal names [EMAIL PROTECTED] and [EMAIL PROTECTED] will
both be treated as the AFSID whose name is "user". Whereas the
principal name [EMAIL PROTECTED] will be treated as a foreign identity.
> Usernames must map directly e.g. be the same in all realms, though.
In addition to the krb.conf file there is also an exclusion file.
/usr/afs/etc/krb.excl
This file contains a list of principal names that should not be treated
as a local AFS identity. This file contains one principal name per line.
[EMAIL PROTECTED]
[EMAIL PROTECTED]
>> In what situations would be it be useful? (I'd like to eventually get
>> rid of gssklogd if OpenAFS can handle that same functionality natively.)
This functionality is useful when a cell administrator trusts that two
Kerberos realms allocate the same principal names to the same
individuals. When this is true a user that logs into a Heimdal based
realm or a Windows Active Directory based realm in the same organization
can access AFS as the same AFSID.
>> And what exactly does "partial support" mean?
>
> It means later you'll be able to also say
> [EMAIL PROTECTED] maps to [EMAIL PROTECTED]
To elaborate on this statement. Work is being performed to extend the
AFS Protection database to allow multiple names to be associated with
the same AFSID. Currently, I have multiple Kerberos principals from
realms that have exchanged cross-realm keys. When accessing a volume
in cell 'a' I want to be able to access the volume with a single AFSID
regardless of which of the Kerberos principals I control that I am using
at a given time.
When the Protection Server extensions are complete, it will be possible
to associate not only short names "user" with an AFSID but a Kerberos 5
principal name or other name types that may be registered in the future.
Jeffrey Altman
smime.p7s
Description: S/MIME Cryptographic Signature
