Re: [OpenAFS] the mac quandry with 2 realms

Thu, 15 Jul 2010 12:05:34 -0700 


On 7/14/2010 11:32 AM, David Bear wrote:

We have an issue that we haven't found a good solution for on mac osX.
We have BOTH a kerberos realm called 'asu.edu <http://asu.edu>', and an
active directory domain called asurite. Our afs identities are all in
the asu.edu <http://asu.edu> realm. We also have cifs space that
requires authentication tokens from the asurite domain.

We can configure the make to do kerberos auth to the asu.edu
<http://asu.edu> realm -- and automatically get afs tokens in the
request, and access afs. However, configuring the mac that way precludes
our ability to get an authentication token in the asurite domain, and
therefore prevents us from accessing cifs.

Or, we can join the mac to the asurite (active directory) domain, and
use cifs, and face similar issues of not being able to get afs tokens to
get in to afs space.



I don't have a Mac to try this on, but if you can't use cross realm
for some reason, have you tried adding the ASU.EDU realm to the
/Library/Preferences/edu.mit.kerberos file leaving the default
realm pointing at asurite, then use:
  klog.krb5 user -k ASU.EDU

If that does not work, have you tried  something like:
  export KRB5_CONFIG=/path/to/other/krb5.conf
  klog.krb5 user
where the krb5.conf has the default realm set to ASU.EDU.
You could make this into a script.


Finally, we can leave the mac stand alone - not configuring it for any
realm/domain authentication, and then use klog to get afs tokens and use
the mac prompt for accessing cifs to get authentication tokens from the
asurite domain.




I am wondering what other mac osx users are experiencing with wanting to
use both afs and cifs -- and if there is a best practice and perhaps
other tools (scripts?) that make cifs and afs more peacefully coexist on
osX.


--
David Bear
College of Public Programs at ASU
602-494-0424


--

 Douglas E. Engert  <[email protected]>
 Argonne National Laboratory
 9700 South Cass Avenue
 Argonne, Illinois  60439
 (630) 252-5444
_______________________________________________
OpenAFS-info mailing list
[email protected]
https://lists.openafs.org/mailman/listinfo/openafs-info






















					Reply via email to