[56] in SIPB-AFS-requests
kerberos and afs interaction in the sipb cell.
daemon@ATHENA.MIT.EDU (daemon@ATHENA.MIT.EDU)
Thu Sep 14 21:49:37 1989
From: qjb@ATHENA.MIT.EDU
Date: Thu, 14 Sep 89 17:15:40 -0400
To: sipb-afsreq@ATHENA.MIT.EDU
There is a serious problem here with people who want afs home
directories not being able to aklog to the sipb cell because
they don't have athena kerberos principals.
Although a correct fix for this problem is not simple, there is
a bit of a hack that would be a matter of only about two or
three lines of code in one file in the afs sources that would do
the trick. This would be to allow principals from the
SIPB.MIT.EDU kerberos realm to be taken seriously as well as
those from the local cell. This is definitely not a long term
solution, but would work for now. I expect that I could
implement something that would provide this functionality in
on the order of an hour as it would involve changing code with
which I am already quite familiar. The idea I have in mind is
something like this:
/afs/sipb/service/aklog would try a normal aklog. Upon
receiving a kerberos error, it would attempt to get tickets for
the SIPB realm (which would not have to share keys with the
athena realm) and try to reauthenticate with these. Note that
aklog was built with a version of the kerberos library that
handles interrealm authentication (both with shared keys and
with localrealm != realm_of_tgt) correctly. Alternatively, I
could change the already hacked login on charon (or whatever the
new login server will be) to first try to get tickets for the
local realm and then if that fails to get them for the sipb
realm.
I don't consider requiring SIPB realm tickets for access to the
sipb cell to be a solution.
Comments?
Again, this is a kludge, but it will probably solve our problem
until afs really does know about interrealm kerberos....
Jay
