On 2/15/2020 5:09 PM, Måns Nilsson wrote: >> You only would create a system:[email protected] group and then >> create <user>@samb4.realm entries if you were treating the two sets of >> identifies as unique. > > My first impression is that this is something one does only if there is no > other > way. Keeping accounts as similar across the board seems a bit easiser, > if doable. Here it is so, so we'll stick to that.
Originally there was no cross-realm (aka cross-cell in Transarc AFS lingo). The fact that Kerberos v4 principals contained a realm didn't matter because the realm would be stripped when looking up the identity in the protection service. Later on cross-realm was created for Kerberos v4. To ensure that names from EXAMPLE.COM weren't mistaken for identities from EXAMPLE.NET the realm is only stripped for the local authentication realm. It is safe to treat more than one realm as a local authentication realm provided that there is a guarantee that all principals from both realms always represent the same entity. It that is not true, then using cross-realm identities is required. An alternative approach would be to add support for entity aliasing to the protection service. The protocol extensions to do so were standardized nine years ago but no implementation was ever developed for OpenAFS. I believe in your scenario, treating both realms as local is sufficient. Jeffrey Altman
smime.p7s
Description: S/MIME Cryptographic Signature
