> The setup I am trying to put together has a Kerberos realm A, two > openafs >cells B and C. I administer C, but have no control over A and B. The set of >users of A and B (equal) is a superset of users in C.
I'm assuming you're using Kerberos 5 here. > I have received a keytab file that contains the AFS service (using > realm A >for authentication). I intend to use the pts database on C to authorize a >certain small subset of users in A. The credentials for authentication for B >and C would thus be identical for that subset of users. Can I set up matters >such that when those users try to authenticate, they get authenticated for >both B and C ? If you're using a recently-modern aklog, like the one that ships with OpenAFS (I sure _hope_ you're using aklog and not klog), by default it will only get tokens for the "local" AFS cell (defined in the ThisCell file). However, if you create a file called ".xlog" in your home directory and list additional cells in it, aklog will then try to get tokens for those cells as well. This isn't automatic, but you could modify this code to do what you want all of the time. The same concept could be applied to something else, like pam_krb5afs, but you'd probably have to write your own code there (but maybe some of those pam modules have this functionality already). --Ken _______________________________________________ OpenAFS-info mailing list [email protected] https://lists.openafs.org/mailman/listinfo/openafs-info
