[216] in Info-AFS_Redistribution
Re: Everything you didn't want to know about Kerberos but asked
daemon@ATHENA.MIT.EDU (Mike Accetta)
Tue Jul 16 12:10:32 1991
To: bb-info-afs@cs.cmu.edu
From: Mike Accetta <mja+@cs.cmu.edu>
Reply-To: Mike.Accetta@cs.cmu.edu
Date: Tue, 16 Jul 1991 15:11:04 GMT
Marc:
Very interesting.
We are in the process of trying to provide some sort of
cross-realm/cross-cell authorization in AFS 3.x here at CMU-CS. It
sounds like MIT may already have done something similar from your note
although it wasn't quite clear whether or not the client which employs
the user's TGT to obtain tickets in multiple cells is really doing this
or not. Are the various MIT AFS cells all distinct Kerberos realms or
is something else going on? If they are distinct realms, how is a file
server in say the LCS.MIT.EDU cell/realm mapping a ticket for its
service issued to marc@ATHENA.MIT.EDU into a Vice ID in the LCS.MIT.EDU
cell?
We've been considering doing this with cross-cell protection server
queries and use of the full 32-bit Vice ID to also encode a cell
identity. If this works it ought to be possible to allow principals in
other realms to exist on ACL's however we aren't yet convinced that
this approach will be feasible.
- Mike
