Silvia Roedelsperger wrote: > Hi, > > first I want to thank you for the link. We'll try it out, if we have > some time :-) > > You've asked, if it's the same realm: > Yes, (unfortunately) it's the same realm name for both. > > Greetings, Silvia
It is ok for there to be an AFS cell name that matches an Active Directory domain name. It is not ok for there to be two independent Kerberos realms with the same name. The clients have no way to determine which realm they need to speak with for which services and there is no ability to setup cross realm key exchanges when the realm names are the same. If the cell name is foobar.de and both realm names are FOOBAR.DE AND all of the user identities are guaranteed to be the same in the two realms, then I would do the following: Create an "afs/[EMAIL PROTECTED]" service principal in both the Active Directory domain and the MIT/Heimdal realm Generate keytabs for each such that the key version number of the service principal in each realm is unique Import both keys into the AFS KeyFile using asetkey. This will permit the AFS services to be able to accept tickets issued by both realms. However it is only safe to do this if and only if the user principal names in both realms are issued by the same controlling organization and will always be for the same individual or service. If you do this, AFS will have no method of distinguishing between a user in one realm vs the other. Jeffrey Altman Secure Endpoints Inc.
smime.p7s
Description: S/MIME Cryptographic Signature
