On Wed, 02 Jul 2014 22:18:56 +0200 Jean-Marc Choulet <[email protected]> wrote:
> A little question. We have one AFS cell myrealm.fr and a Kerberos > realm myrealm.fr. We must use our AFS cell with a another realm named > otherrealm.fr. There is no trusted relations between myrealm.fr and > otherrealm.fr. Is it possible ? Yes. Since you have no trust relationship between the realms, you'll need to have both principals afs/[email protected] and afs/[email protected], and you need to have the key data for both be in the rxkad.keytab/KeyFile files on your servers. If I recall correctly, if you're using the single-DES KeyFile, those two principals need to be using different kvnos, but I don't think there's any such restriction when using rxkad.keytab. You also need to tell the users or client machines in OTHERREALM.FR that they need to look in OTHERREALM.FR for the AFS service princ, and not MYREALM.FR. That is, by default 'aklog' will try to get tickets for afs/[email protected], but [email protected] won't be able to get those without a cross-realm trust. Instead you want [email protected] to look at afs/[email protected]. On Unix, that's usually handled in the domain_realm mapping in your local krb5.conf; you can also use the -k option to aklog. If you want [email protected] and [email protected] to both be the AFS user 'username', then also do what Mike Meffie said with krb.conf. But if you want [email protected] to be a different user than [email protected], then you can use the concept of AFS "foreign users". That appears to be discussed a little here <http://docs.openafs.org/AdminGuide/HDRWQ36.html#HDRWQ40>, but you can also probably find it mentioned elsewhere. That mentions using a cross-realm trust, since using "foreign users" usually involves a cross-realm trust, but I think you should be able to use them just fine with separate AFS service principals, too. -- Andrew Deason [email protected] _______________________________________________ OpenAFS-info mailing list [email protected] https://lists.openafs.org/mailman/listinfo/openafs-info
