At 2/28/2002 06:19 AM -0500, you wrote: >Giovanni Bracco <[EMAIL PROTECTED]> writes: > > In the implementation it would be better not to modify the pam arguments > > but to add another file of the same type as "ThisCell" like "OtherCells" > > containing al list of cells,comma separated. If the file does not exist > > nothing new is performed. Does it sound reasonable? > >It would be better if this were per-user. If every user in ThisCell >exists under the same principal name in OtherCells, then why >have 2 cells? Chances are, you have some people who are missing, >and sooner or later, unless your various system administrators coordinate >things carefully, you'll end up with duplicate names, or people with >different names in different cells. > >Here at the university of michigan, we've tried to support a slightly >more flexible scheme: >each user can have a file, > .principals >that specifies additional realms in which to get kerberos tickets. >Thid idea is to have one or more lines like this: > # this line ignored > @ENGIN.UMICH.EDU > [EMAIL PROTECTED] & > [EMAIL PROTECTED] >Once authentication is accepted in the primary realm, login (or >whatever) can then go off & get these additional tickets, >potentially under a different name, and possibly in the background. ....
do you mean that the user must not provide explicitely password for the other cells (e.g. in ssh connection to the main cell), providing that the password is the same on the different cells/users? If that is the case this solution also looks great and surely is more flexible. Can it be implemented in OpenAFS? Giovanni Giovanni Bracco Associazione EURATOM-ENEA sulla Fusione C.R.E. ENEA Frascati Via E. Fermi 45 I-00044 Frascati (Roma) Italy phone 00-39-06-9400-5597 FAX 00-39-06-9400-5735 E-mail [EMAIL PROTECTED] WWW http://fusfis.frascati.enea.it/~bracco _______________________________________________ OpenAFS-info mailing list [EMAIL PROTECTED] https://lists.openafs.org/mailman/listinfo/openafs-info
