Re: questions by stasheck and a response by Douglas E. Engert > > > > Server names are not a big problem. If the two AFS cells have the same > > name that may be a problem.
The cell lookup process (CellServDB, DNS or registry (Windows)) starts with the name and there's no provision to treat two different servers as one so yes, that is a problem. > They have, unfortunately. Is there an easy way to change AFS cell name? Easy? No. Possible? Yes but it's painful. > >> What's more, now we've got plans to introduce AD domain in "ours" > >> network. Great, another Kerberos, another AAA system in place. How > >> about I (and my fellow sysadmins) will try to fix and simplify it as > >> much as possible? There are differences between Server 2008 and Server 2008 R2. I'm not 100% sure but I don't think your plan will work with the non-R2 version. > > And I assume the AD top level domain name would end up being the same > > as the current 2 Kerberos realm names???? > > I surely hope it doesn't. I am mentally prepared to create some subdomain > for AD - like ad.test.int, and the Kerberos domain would be named the same. > But what I would like to do is to allow users to have just one password for > all > Kerberos-authenticated services. > > >> I've already put in motion a plan to "flatten" DNS space, so names > >> will be unique - so we can treat that as nearly non-issue. > > > > Keep in mind, that AD like to have the DCs and other windows servers > > with a DNS domain name == AD domin name. The AD domin name is then > the Kerberos realm name (in uppercase) when AD is using Kerberos. > > That's ok. Having the AD (lower case) and realm name (upper case) match is mandatory. If I remember correctly, you get the undocumented (undefined?) error 68 when attempting to get a TGT if they don't. > > You can register other Unix machines in AD Kerberos where the DNS > > domain name is not the same as the AD domain name. > > You got me lost - I don't know what you're reffering to. On the AD server, you use ktpass to register the name of the cell and get a keytab for use on that cell server. You can register more than one name. (I think. I haven actually tried that.) > That's something I hope for, except that this pesky "contractors" > network and its stupid firewall comes in my way. I'd still need to solve the > problem on how to auth users in "contractors" network despite the one-way > firewall (possible, I guess), and how to block "ours"-only users from logging > on "contractors". I feel there should be some way to do this, I just don't > know what is it. > > Maybe I can use this parallel: > let's say there are users in Finances and Sales. Both departaments have > separate LANs. I want to give both Finances and Sales the same Linux > workstations, but somehow refrain Sales users from logging on Finance's > computers - but those from Finances can login wherever they want. > > Is there a way to do that? You may be able use OpenAFS access control lists (ACLs) to control which group of users can access things in a given cell. Mickey. SNA _______________________________________________ OpenAFS-info mailing list [email protected] https://lists.openafs.org/mailman/listinfo/openafs-info
