GSP
Quick Navigator

Search Site

Unix VPS
A - Starter
B - Basic
C - Preferred
D - Commercial
MPS - Dedicated
Previous VPSs
* Sign Up! *

Support
Contact Us
Online Help
Handbooks
Domain Status
Man Pages

FAQ
Virtual Servers
Pricing
Billing
Technical

Network
Facilities
Connectivity
Topology Map

Miscellaneous
Server Agreement
Year 2038
Credits
 

USA Flag

 

 

Man Pages


Manual Reference Pages  -  KRB.EXCL (5)

.ds Aq ’

NAME

krb.excl - Lists exclusions for mapping kerberos principals to AFS identities

CONTENTS

DESCRIPTION

/usr/local/etc/openafs/server/krb.excl is an optional file that resides on an OpenAFS server and is used to list exceptions to the algorithm of mapping kerberos principals to AFS identities. It contains the name of one or more principals; each principal should be on a line by itself. If a principal appears in this file, that principal will never be recognized by an OpenAFS server as a local identity, even if the realm is specified as a local realm in krb.conf(5).

The principal names specified in this file must include the realm, and should be in Kerberos 4 format. That is, specify user.inst@REALM, not user/inst@REALM, user.inst, nor user/inst.

RATIONALE

It is possible to use the krb.conf(5) configuration file to specify that multiple Kerberos realms can be considered ‘local’ realms by OpenAFS fileservers, and those realms can be used nearly interchangeably. A site may list FOO.EXAMPLE.COM and BAR.EXAMPLE.COM to allow users to access AFS by using Kerberos tickets from either FOO.EXAMPLE.COM or BAR.EXAMPLE.COM, and be treated as AFS users local to that cell.

In many setups, one realm is really a ‘local’ realm that is managed by the AFS administrators, and another ‘foreign’ realm is specified in krb.conf that is managed by someone else, but in the same organization. In such a case, the principal names for users are the same, so users should be able to use either realm to authenticate to AFS. However, the principals for administrators are not the same between the two realms, and so the administrators in the ‘foreign’ realm should not be considered AFS administrators. Specifying the administrator principals in the ‘foreign’ realm prevents this, but still allows users to use either realm.

EXAMPLES

The realms FOO.EXAMPLE.COM and AD.EXAMPLE.COM are configured to both be local realms, but AD.EXAMPLE.COM should not be used by AFS administrators. The AFS administrators are admin and smith.admin. krb.excl contains:



   admin@AD.EXAMPLE.COM
   smith.admin@AD.EXAMPLE.COM



Now if someone authenticates with tickets for smith/admin@AD.EXAMPLE.COM, they will not be recognized as the smith.admin AFS identity. However, smith@AD.EXAMPLE.COM will be treated as the smith AFS identity, and smith/admin@FOO.EXAMPLE.COM will still be treated as smith.admin.

SEE ALSO

krb.conf(5)

COPYRIGHT

Copyright 2010 Sine Nomine Associates

This documentation is covered by the BSD License as written in the doc/LICENSE file. This man page was written by Andrew Deason for OpenAFS.

Search for    or go to Top of page |  Section 5 |  Main Index


OpenAFS KRB.EXCL (5) 2015-10-28

Powered by GSP Visit the GSP FreeBSD Man Page Interface.
Output converted with manServer 1.07.