[BBLISA] Am I missing the screamingly obvious? (AFS/Kerberos/LDAP)

Dean Anderson dean at av8.com
Thu Mar 11 19:46:15 EST 2010 

On Thu, 11 Mar 2010, Michael Tiernan wrote:

> Thanks for the response!

You are welcome.

> > Its like that movie: 'There can be only one' realm (and its backups)
> Ok, you get five geek points for sneaking a Highlander reference into
> the thread! :)

;-)

> > Cross-realm authentication is something to avoid with afs.  There is no point;
> I'm not 100% sure I get it. Sorry for being dense. :(

Its technically possible to use multiple realms. Don't try that. Stick
with just one Kerb. realm.

> Let me ask it this way. Is there a way to set up a system to be an AFS
> *client* and not a server?

Yes. Most systems are clients.  The cell for which you machine is a
client is controlled by the /usr/vice/etc/ThisCell file.  On windows,
there is a gui that lets you change cell membership.

> How is it that I can, after logging in, authenticate from inside one
> realm to, say UCSD, and AFS mount a user specific file space to my
> machine? (Under the 'assumption' that they make it available.)

I'm guessing you want something specific. Are the files you want access
protected by access control? or are they public?  Send me a path, and 
I'll see if they are public.

> I guess the other way of asking it is is how do you let "normal" users
> in without authenticating to the local system but still be able to
> gain access to remote AFS volumes?

Login access can be independent of afs credentials.

There are two possiblilities:  

 1. You make your system a client of their cell  (recommended if you 
need to authenticate on their cell to access the files.

 2. You set up your own cell and client, and access their public files
over the internet.  Recommended if you want to access your own files
securely (well, DES at present; AES effort underway/done) over the
internet. There are instructions at openafs.org on setting up a cell.

Eg. from clients of my av8.net cell, I can see sipb.mit.edu public
files: 

ls -l /afs/sipb.mit.edu/
total 38
drwxrwxrwx    2 root     root         2048 Aug 27  2008 admin
drwxrwxrwx    4 root     root         2048 Oct  7 17:01 contrib
drwxrwxrwx    7 root     root         4096 Feb 11  2009 machine
drwxrwxrwx    3 root     root        12288 Feb 28 23:43 project
drwxrwxrwx   16 root     root         4096 Mar 11 02:26 service
drwxrwxrwx    8 root     root         2048 Apr 21  2005 system
drwxrwxrwx    2 root     root        12288 Mar  8 20:36 user


> (Yes, I'm reading as much as I can as fast as I can to try and figure
> it all out.)
> 
> And thank you to everyone for allowing me to use up some of this bandwidth.
> 
> 

-- 
Av8 Internet   Prepared to pay a premium for better service?
www.av8.net         faster, more reliable, better service
617 256 5494

More information about the bblisa mailing list