I just got a test setup of cross-realm (v5) afs working between two
"toy" realms. Pretty nifty, especially since aklog does all the hard
work for the user.
When I set this up, I did the "normal thing" for cross realm and put
two principals in each realm:
krbtgt/[EMAIL PROTECTED]
krbtgt/[EMAIL PROTECTED]
Now, if CELL is a realm with a corresponding afs cell, and OTHER is
some other realm with no afs infrastructure at all, do I need both of
these principals? I have this hunch that since OTHER's kdc never
needs to look at a ticket issued by CELL, the second principal
(krbtgt/[EMAIL PROTECTED]) isn't necessary for this limited functionality,
but I don't know if Kerberos actually works this way.
I tried this with my "toy realms" and it seemed to work when I junked
the second principal and restarted everything. Removing the first
principal caused things to stop working (obviously; just making sure I
was actually reloading things properly).
I ask because I'm about to request that the CS.BERKELEY.EDU add a
cross-realm principal for RESEARCH.CS.BERKELEY.EDU (a micro-realm that
exists solely to support the corresponding afs cell), and the less I
ask for the more likely I am to get it.
- a
--
PGP/GPG: 5C9F F366 C9CF 2145 E770 B1B8 EFB1 462D A146 C380
_______________________________________________
OpenAFS-info mailing list
[email protected]
https://lists.openafs.org/mailman/listinfo/openafs-info
