Jeff, What do you mean by: "... you need to add groups for foreign realms (system:[email protected]) for each realm that you want to accept users from." ?
If I understand the documentation correctly, there needs to be one group, named precisely system:[email protected], which will contain all the users from foreign realms: " Enable automatic registration for users in the foreign cell. This may be done by creating a cross-realm trust in the Kerberos Database. Then add a PTS group named system:[email protected] and give it a group quota greater than the number of foreign users expected to be registered." http://docs.openafs.org/AdminGuide/ch02s03.html Also, on a naïve note, how do you create a group with the ownership "system"? I am working as an admin, of course, but pts creategroup throws up the message "Badly formed name (group prefix doesn't match owner?)" regardless of what I do. Danko -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of Jeffrey Altman Sent: Monday, July 11, 2011 8:32 PM To: [email protected] Subject: Re: [OpenAFS] Re: OpenAFS and AD trusts What you want to accomplish is fine but all of your users will be foreign identities in the AFS Protection database. [email protected] [email protected] [email protected] etc and you need to add groups for foreign realms (system:[email protected]) for each realm that you want to accept users from. Another thing that is critical is that the DNS host names of the afs vldb servers be in the resource.net domain. It must be possible for aklog (or other tools) to perform a domain to realm mapping from the VLDB server host name to the Kerberos realm that contains the AFS service principal. Jeffrey Altman On 7/11/2011 8:23 PM, Danko Antolovic wrote: > Andrew and Derrick, > > Thanks, but let me clarify: I am trying to separate the administrative part > of managing many user databases from the proper functions of the AFS server. > > I want to have multiple domains like IU.EDU (school1.edu, school2.edu ...), > providing user creds for a single AFS installation. I could list them all > in /usr/afs/etc/krb.conf, make all the asetkeys etc., but the idea is to > have the AD manage multiple domains via trusts to RESOURCE.NET, and have AFS > be aware of one domain only (you can see how this would be useful in the > case of many different services, all authenticating through RESOURCE.NET). > > In principle, a kerberizable service should be able to function like that; > my question is whether AFS can do it. > > There is also the issue of the local (AFS) user namespace, but I am taking > one step at a time. > > Thanks, > > Danko Antolovic _______________________________________________ OpenAFS-info mailing list [email protected] https://lists.openafs.org/mailman/listinfo/openafs-info
