>> 1. work a political miracle and get a Unix kerberos >> service principal for Samba, then use just the Unix >> realm. > > If I'm understanding your scenario right, I think you are missing two > other options: > > 3. Create an AFS service principal in the AD realm. > > 4. Create a cross-realm trust between the two realms. The AFS service > principal lives in the Unix realm, and the users get tickets for AD. > > Both of these let you authenticate to AFS while having tickets only for > AD.
As we have the same situation at KTH that the keeper of the AD will not do such things unless pigz fliez, I understand Gabriel's problem. I have been juggling with small scripts that do set KRB5CCNAME, then authenticate without afslog and then afslog to a specific cell in that tokens context for years. But it still fails in situations where a program expects to have its credentials in a single KRB5CCNAME like thunderbird towards different realms. So what tools do we have for "alien" multi realm scenarios? Harald. _______________________________________________ OpenAFS-info mailing list [email protected] https://lists.openafs.org/mailman/listinfo/openafs-info
