>I just got a test setup of cross-realm (v5) afs working between two >"toy" realms. Pretty nifty, especially since aklog does all the hard >work for the user.
I think 70% of the hard work is done by the Kerberos library (the actual cross-realm magic); the remaining 30% is done by aklog in terms of cross-realm PTS registration. >When I set this up, I did the "normal thing" for cross realm and put >two principals in each realm: > > krbtgt/[EMAIL PROTECTED] > krbtgt/[EMAIL PROTECTED] > >Now, if CELL is a realm with a corresponding afs cell, and OTHER is >some other realm with no afs infrastructure at all, do I need both of >these principals? I have this hunch that since OTHER's kdc never >needs to look at a ticket issued by CELL, the second principal >(krbtgt/[EMAIL PROTECTED]) isn't necessary for this limited functionality, >but I don't know if Kerberos actually works this way. Jeff already pointed out that both KDCs need to know about the same principal (the local KDC uses that key to encrypt the cross-realm TGS ticket; the foreign KDC uses it to decrypt it). However, to answer your original question ... no, you don't need both directions. You need only one direction. I do this all the time with sites that are paranoid about cross-realm and only want to cross-realm outbound. --Ken _______________________________________________ OpenAFS-info mailing list [email protected] https://lists.openafs.org/mailman/listinfo/openafs-info
