Mikkel Kruse Johnsen wrote: > Hi All > > I have a MS Active Directory (HHK.DK) that almost all users are created > in. I have a MIT Kerberos (CBS.DK) that I have some other users in. > There is a two-way trust between them and I know that it works. > > I have a user [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]> in the MIT Kerberos > and a user [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]> in MS AD. The OpenAFS > afs/sugi.cbs.dk token is in MIT Kerberos. Using my [EMAIL PROTECTED] > <mailto:[EMAIL PROTECTED]> I can access my home dir in AFS, but when using > [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]> it fails on aklog. > > Is this possible ? > > /Mikkel
CBS.DK != HHK.DK If CBS.DK is the local realm for cell sugi.cbs.dk, then principals in HHK.DK are going to be considered foreign users. If you know that there are no users in CBS.DK and HHK.DK for which [EMAIL PROTECTED] and [EMAIL PROTECTED] could ever be different entities, then you can add HHK.DK to the afs krb.conf file as a second local realm (after you have applied the multiple local realms patch or after 1.4.5 is released.) This will treat principals from both realms as local. aklog will still have a problem in that it has no way of knowing that CBS.DK and HHK.DK are both local realms and it will continue to attempt to create the foreign PTS ID. To fix this will require adding a new "WhoAmI" RPC to PTS. Jeffrey Altman
smime.p7s
Description: S/MIME Cryptographic Signature
