Mikkel Kruse Johnsen wrote:
> Hi All
> 
> I have a MS Active Directory (HHK.DK) that almost all users are created
> in. I have a MIT Kerberos (CBS.DK) that I have some other users in.
> There is a two-way trust between them and I know that it works.
> 
> I have a user [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]> in the MIT Kerberos
> and a user [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]> in MS AD. The OpenAFS
> afs/sugi.cbs.dk token is in MIT Kerberos. Using my [EMAIL PROTECTED]
> <mailto:[EMAIL PROTECTED]> I can access my home dir in AFS, but when using
> [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]> it fails on aklog.
> 
> Is this possible ?
> 
> /Mikkel

CBS.DK != HHK.DK

If CBS.DK is the local realm for cell sugi.cbs.dk, then principals in
HHK.DK are going to be considered foreign users.  If you know that there
are no users in CBS.DK and HHK.DK for which [EMAIL PROTECTED] and [EMAIL 
PROTECTED]
could ever be different entities, then you can add HHK.DK to the afs
krb.conf file as a second local realm (after you have applied the
multiple local realms patch or after 1.4.5 is released.)  This will
treat principals from both realms as local.

aklog will still have a problem in that it has no way of knowing that
CBS.DK and HHK.DK are both local realms and it will continue to attempt
to create the foreign PTS ID.  To fix this will require adding a new
"WhoAmI" RPC to PTS.

Jeffrey Altman









Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

Reply via email to