Can there be an AFS group with members of other cells in it?

Jeffrey Hutzelman Jeffrey Hutzelman <jhutz@cmu.edu>
Fri, 26 Jan 2001 18:35:27 -0500 (EST) 

On Fri, 26 Jan 2001, Morris Strongson wrote:

> We have users in another cell to whom we want to give access
> certain files in our cell.  Is there a way to create a group
> in cell "abc", such as "xyzfolks" with such entries as
> "person1@xyz" (with proper syntax) so the specified
> people in the xyz cell  can access specified files
> in the abc cell?

Gee; there seems to be a lot of misinformation out ther on this topic.
The short answer is "sort of".  Now let me elaborate...

Ken Hornstein is essentially correct - you can create pts entries of
the form 'user@other.cell.name' and have things work, but only _after_
you set up cross-realm authentication.

Setting up cross-realm authentication requires two steps:

1) Create a kas entry for krbtgt.OTHER.CELL.NAME in your kaserver, and
   one for krbtgt.YOUR.CELL.NAME in theirs.  Note the case of the names
   of these principals; it's very important.  Also, these entries must
   have the _same key_.  To do this, you need to use the (apparently
   hidden) 'kas setkey' command.

2) Create the PTS group 'system:authuser@other.cell.name' in your cell.
   This group is magic; it allows entries to be created for users in
   the other cell.  Such entries can be created by an adminstrator or
   by the user to whom they belong; the 'aklog' program will usually
   do this automatically.  Note that unlike normal groups, the group
   quota on this magic group has meaning -- it is the number of foreign
   user entries that can be created.


Now, there are still a couple of problems:
- In order to access your cell, users in the foreign cell must run
  'aklog your.cell.name'.  This requires that they have aklog, which
  does not come with AFS.  There are versions distribute with the KTH
  kerberos V4 and V5 implementaions, and with Ken Hornstein's AFS-krb5
  migration kit.  Chances are that those users will also need to have
  appropriate Kerberos configuration files.

- If you are running a stock kaserver from Transarc, cross-realm
  authentication _to_ your cell will not work.  There is a bug in
  the kaserver which prevents this from working correctly.  The bug
  is fixed in OpenAFS 1.0.2, but there is still a different bug which
  affects this.  I don't speak for IBM or the OpenAFS gatekeepers, but
  I expect these problems will be fixed in IBM AFS 3.6p2 and in
  OpenAFS 1.0.3.

-- Jeffrey T. Hutzelman (N3NHS) <jhutz+@cmu.edu>
   Sr. Research Systems Programmer
   School of Computer Science - Research Computing Facility
   Carnegie Mellon University - Pittsburgh, PA