Commit | Line | Data |
---|---|---|
805e021f CE |
1 | =head1 NAME |
2 | ||
3 | krb.excl - Lists exclusions for mapping kerberos principals to AFS identities | |
4 | ||
5 | =head1 DESCRIPTION | |
6 | ||
7 | F</usr/afs/etc/krb.excl> is an optional file that resides on an OpenAFS | |
8 | server and is used to list exceptions to the algorithm of mapping kerberos | |
9 | principals to AFS identities. It contains the name of one or more | |
10 | principals; each principal should be on a line by itself. If a principal | |
11 | appears in this file, that principal will never be recognized by an | |
12 | OpenAFS server as a local identity, even if the realm is specified as a | |
13 | local realm in L<krb.conf(5)>. | |
14 | ||
15 | The principal names specified in this file must include the realm, and | |
16 | should be in Kerberos 4 format. That is, specify C<user.inst@REALM>, not | |
17 | C<user/inst@REALM>, C<user.inst>, nor C<user/inst>. | |
18 | ||
19 | =head1 RATIONALE | |
20 | ||
21 | It is possible to use the L<krb.conf(5)> configuration file to specify | |
22 | that multiple Kerberos realms can be considered `local' realms by OpenAFS | |
23 | fileservers, and those realms can be used nearly interchangeably. A site | |
24 | may list C<FOO.EXAMPLE.COM> and C<BAR.EXAMPLE.COM> to allow users to | |
25 | access AFS by using Kerberos tickets from either C<FOO.EXAMPLE.COM> or | |
26 | C<BAR.EXAMPLE.COM>, and be treated as AFS users local to that cell. | |
27 | ||
28 | In many setups, one realm is really a `local' realm that is managed by the | |
29 | AFS administrators, and another `foreign' realm is specified in | |
30 | F<krb.conf> that is managed by someone else, but in the same organization. | |
31 | In such a case, the principal names for users are the same, so users | |
32 | should be able to use either realm to authenticate to AFS. However, the | |
33 | principals for administrators are not the same between the two realms, and | |
34 | so the administrators in the `foreign' realm should not be considered AFS | |
35 | administrators. Specifying the administrator principals in the `foreign' | |
36 | realm prevents this, but still allows users to use either realm. | |
37 | ||
38 | =head1 EXAMPLES | |
39 | ||
40 | The realms C<FOO.EXAMPLE.COM> and C<AD.EXAMPLE.COM> are configured to both | |
41 | be local realms, but C<AD.EXAMPLE.COM> should not be used by AFS | |
42 | administrators. The AFS administrators are C<admin> and C<smith.admin>. | |
43 | F<krb.excl> contains: | |
44 | ||
45 | admin@AD.EXAMPLE.COM | |
46 | smith.admin@AD.EXAMPLE.COM | |
47 | ||
48 | Now if someone authenticates with tickets for C<smith/admin@AD.EXAMPLE.COM>, | |
49 | they will not be recognized as the C<smith.admin> AFS identity. However, | |
50 | C<smith@AD.EXAMPLE.COM> will be treated as the C<smith> AFS identity, and | |
51 | C<smith/admin@FOO.EXAMPLE.COM> will still be treated as C<smith.admin>. | |
52 | ||
53 | =head1 SEE ALSO | |
54 | ||
55 | L<krb.conf(5)> | |
56 | ||
57 | =head1 COPYRIGHT | |
58 | ||
59 | Copyright 2010 Sine Nomine Associates | |
60 | ||
61 | This documentation is covered by the BSD License as written in the | |
62 | doc/LICENSE file. This man page was written by Andrew Deason for OpenAFS. |