Category Archives: Security

Cross-Realm AFS Authentication

Cross-realm AFS authentication allows users in one Kerberos realm (a Kerberos "realm" is an administrative domain such as ECE or Andrew) to manipulate files in another realm without having to authenticate separately in each one. AFS cells that support cross-realm authentication are:


Setting up cross-realm authentication

To set up cross-realm authentication, you need to run the aklog command, while authenticated to your local cell, giving it the name of the foreign AFS cell that you will be authenticating to. Then you will need to create an entry in the foreign cell's pts database. Previously, this happened automatically. For example, if you are on a host in the cell and want to do cross-realm authentication with the cell, you should run:


If you are on a host in the cell and want to do cross-realm authentication with, you should run:


Running aklog
does two things:

  • It provides cross-realm "tokens" that can be used to access files in the foreign cell.
  • It checks to see that there is an entry for the these cross-realm tokens in the protection server (pts) database in the foreign cell. If such an entry doesn't already exist, one is created. The cross-realm entry will have the form userid@foreigncell.

After running aklog
, run the comand:

   pts createuser <username>@<localcell> -cell <foreigncell>

This creates an entry for you in a foreign cell's protection database. If you want to verify that an entry for your cross-realm tokens exists in the foreign cell's pts database, you can enter the following comand:

   pts examine <username>@<localcell> -cell <foreigncell>

To see a list of which Andrew or CS users have established cross-realm identities in the cell, you can use the command:

   pts members system:authuser@{cs or andrew}

To see a list of ECE users who have established cross-realm identities in the andrew or CS AFS cells, you can use the command:

   pts members -cell {cs or andrew}

Note that you will need to run aklog
to get cross-realm tokens before accessing files in the other cell. If you are frequently accessing files in another cell, you may wish to put:

   aklog <foreigncell>

in your .login

Adding a cross-realm ID to ACLs and groups

Once a cross-realm ID has been created, you can add it to AFS ACLs and groups the same way you would add a user in the local cell to ACLs and groups. For example, to add the Andrew username "hb0v" to an ACL:

   fs sa my_directory rl

and to a group:

   pts adduser bovik:colleagues


By granting permission to access your files in the cell to your username in another realm, you have created the possibility that somebody could break into your other account and access your ECE files (the same concept applies if the cell is where you keep most of your important files and you have granted cross-realm access to your ECE username). For this reason, it is suggested that you only add your other realm's username to directories when it is necessary to do so.

Posted in Accounts, Data Storage, Security, Services