[55] in SIPB-AFS-requests
SIPB cell authentication problems
daemon@ATHENA.MIT.EDU (daemon@ATHENA.MIT.EDU)
Thu Sep 14 21:23:23 1989
From: qjb@ATHENA.MIT.EDU
Date: Thu, 14 Sep 89 21:24:14 -0400
To: sipb-afsreq@ATHENA.MIT.EDU
Hmm. I thought I sent something about this earlier today, but I
can't find any trace of it.
There is a temporary solution to the problems that users have
been having on charon if they don't have a kerberos principal.
The fileserver on ronald-ann can be hacked in very few lines of
code in viced/host.c to accept principals from either the athena
kerberos realm or the SIPB.MIT.EDU kerberos realm. (Actually,
I'd recommend ((realm == local realm) || (realm == local cell)).
This is by no means a permenant solution to the problem, but
would be very easy to implement and install.
People who don't have tickets in the athena realm could be
registered in a SIPB realm that could be served from ronald-ann.
This realm wouldn't even have to share keys with the athena
realm.
Interrealm kerberos support exists in aklog as I compiled
against new kerberos libraries. Actually the reason that I
started working on interrealm code in the first place was to get
an aklog that we could run from the SMS_TEST kerberos realm to
get tokens for the athena cell.
I'd be glad to set this up tomorrow. (9/15) I could throw in a
script that prompts for sipb realm tickets if there aklog fails
with a kerberos error...
Jay
