Computing Facilities    links to the SCS and CMU home pages Carnegie Mellon School of Computer Science Carnegie Mellon University
 
Advanced search tips 
 Documentation
 » Introduction to Facilities 
 » Accounts & passwords 
 » AFS 
 » Application software 
 » AV help 
 » Backups & restores 
 » Calendaring 
 » E-mail 
 » Networking 
 » Printing 
 » Purchasing 
 » Resource management 
 » Security 
 » Software licensing 
 » Support charges 
 » Web publishing 
 » Your health 
 » Mac support 
 » Linux support 
 » Windows PC support 

Cross-realm authentication

Cross-realm AFS authentication allows users in one Kerberos realm (a Kerberos "realm" is an administrative domain such as CS or Andrew) to manipulate files in another realm without having to authenticate separately in each one. AFS cells that support cross-realm authentication are:

  • cs.cmu.edu
  • andrew.cmu.edu
  • club.cc.cmu.edu
  • dementia.org
  • athena.mit.edu


Setting up cross-realm authentication

To set up cross-realm authentication, you need to run the aklog command, while authenticated to your local cell, giving it the name of the foreign AFS cell that you will be authenticating to. Then you will need to create an entry in the foreign cell's pts database. Previously, this happened automatically. For example, if you are on a host in the cs.cmu.edu cell and want to do cross-realm authentication with the andrew.cmu.edu cell, you should run:

   aklog andrew.cmu.edu
If you are on a host in the andrew.cmu.edu cell and want to do cross-realm authentication with cs.cmu.edu, you should run:
   aklog cs.cmu.edu
Running aklog does two things:
  • It provides cross-realm "tokens" that can be used to access files in the foreign cell.
  • It checks to see that there is an entry for the these cross-realm tokens in the protection server (pts) database in the foreign cell. If such an entry doesn't already exist, one is created. The cross-realm entry will have the form userid@foreigncell.
After running aklog, run the comand:
   pts createuser <username>@<localcell> -cell <foreigncell>
This creates an entry for you in a foreign cell's protection database. If you want to verify that an entry for your cross-realm tokens exists in the foreign cell's pts database, you can enter the following comand:
   pts examine <username>@<localcell> -cell <foreigncell>
To see a list of which Andrew or ECE users have established cross-realm identities in the cs.cmu.edu cell, you can use the command:
   pts members system:authuser@{ece or andrew}.cmu.edu
To see a list of CS users who have established cross-realm identities in the andrew or ece AFS cells, you can use the command:
   pts members system:authuser@cs.cmu.edu -cell {ece or andrew}.cmu.edu
Note that you will need to run aklog to get cross-realm tokens before accessing files in the other cell. If you are frequently accessing files in another cell, you may wish to put:
   aklog <foreigncell>
in your .login.

Adding a cross-realm ID to ACLs and groups

Once a cross-realm ID has been created, you can add it to AFS ACLs and groups the same way you would add a user in the local cell to ACLs and groups. For example, to add the Andrew username "hb0v" to an ACL:
   fs sa my_directory hb0v@andrew.cmu.edu rl
and to a group:
   pts adduser hb0v@andrew.cmu.edu bovik:colleagues

Security

By granting permission to access your files in the cs.cmu.edu cell to your username in another realm, you have created the possibility that somebody could break into your other account and access your CS files (the same concept applies if the andrew.cmu.edu cell is where you keep most of your important files and you have granted cross-realm access to your CS username). For this reason, it is suggested that you only add your other realm's username to directories when it is necessary to do so.