Login or Register to Ask a Question and Join Our Community

Linux and UNIX Man Pages

Linux & Unix Commands - Search Man Pages

krb.excl(5) [debian man page]

KRB.EXCL(5)							AFS File Reference						       KRB.EXCL(5)

NAME

       krb.excl - Lists exclusions for mapping kerberos principals to AFS identities

DESCRIPTION

       /etc/openafs/server/krb.excl is an optional file that resides on an OpenAFS server and is used to list exceptions to the algorithm of
       mapping kerberos principals to AFS identities. It contains the name of one or more principals; each principal should be on a line by
       itself. If a principal appears in this file, that principal will never be recognized by an OpenAFS server as a local identity, even if the
       realm is specified as a local realm in krb.conf(5).

       The principal names specified in this file must include the realm, and should be in Kerberos 4 format. That is, specify "user.inst@REALM",
       not "user/inst@REALM", "user.inst", nor "user/inst".

RATIONALE

       It is possible to use the krb.conf(5) configuration file to specify that multiple Kerberos realms can be considered `local' realms by
       OpenAFS fileservers, and those realms can be used nearly interchangeably. A site may list "FOO.EXAMPLE.COM" and "BAR.EXAMPLE.COM" to allow
       users to access AFS by using Kerberos tickets from either "FOO.EXAMPLE.COM" or "BAR.EXAMPLE.COM", and be treated as AFS users local to that
       cell.

       In many setups, one realm is really a `local' realm that is managed by the AFS administrators, and another `foreign' realm is specified in
       krb.conf that is managed by someone else, but in the same organization.	In such a case, the principal names for users are the same, so
       users should be able to use either realm to authenticate to AFS.  However, the principals for administrators are not the same between the
       two realms, and so the administrators in the `foreign' realm should not be considered AFS administrators. Specifying the administrator
       principals in the `foreign' realm prevents this, but still allows users to use either realm.

EXAMPLES

       The realms "FOO.EXAMPLE.COM" and "AD.EXAMPLE.COM" are configured to both be local realms, but "AD.EXAMPLE.COM" should not be used by AFS
       administrators. The AFS administrators are "admin" and "smith.admin".  krb.excl contains:

	  admin@AD.EXAMPLE.COM
	  smith.admin@AD.EXAMPLE.COM

       Now if someone authenticates with tickets for "smith/admin@AD.EXAMPLE.COM", they will not be recognized as the "smith.admin" AFS identity.
       However, "smith@AD.EXAMPLE.COM" will be treated as the "smith" AFS identity, and "smith/admin@FOO.EXAMPLE.COM" will still be treated as
       "smith.admin".

SEE ALSO

       krb.conf(5)

COPYRIGHT

       Copyright 2010 Sine Nomine Associates

       This documentation is covered by the BSD License as written in the doc/LICENSE file. This man page was written by Andrew Deason for
       OpenAFS.

OpenAFS 							    2012-03-26							       KRB.EXCL(5)

Check Out this Related Man Page

AFSLOG(1)						    BSD General Commands Manual 						 AFSLOG(1)

NAME

     afslog -- obtain AFS tokens

SYNOPSIS

     afslog [-h | --help] [--no-v4] [--no-v5] [-u | --unlog] [-v | --verbose] [--version] [-c cell | --cell=cell] [-k realm | --realm=realm] [-P
	    principal | --principal=principal] [-p path | --file=path] [cell | path ...]

DESCRIPTION

     afslog obtains AFS tokens for a number of cells. What cells to get tokens for can either be specified as an explicit list, as file paths to
     get tokens for, or be left unspecified, in which case afslog will use whatever magic krb_afslog(3) decides upon.

     Supported options:

     --no-v4
	     This makes afslog not try using Kerberos 4.

     --no-v5
	     This makes afslog not try using Kerberos 5.

     -P principal, --principal principal
	     select what Kerberos 5 principal to use.

     --cache cache
	     select what Kerberos 5 credential cache to use.  --principal overrides this option.

     -u, --unlog
	     Destroy tokens instead of obtaining new. If this is specified, all other options are ignored (except for --help and --version).

     -v, --verbose
	     Adds more verbosity for what is actually going on.

     -c cell, --cell=cell
	     This specified one or more cell names to get tokens for.

     -k realm, --realm=realm
	     This is the Kerberos realm the AFS servers live in, this should normally not be specified.

     -p path, --file=path
	     This specified one or more file paths for which tokens should be obtained.

     Instead of using -c and -p, you may also pass a list of cells and file paths after any other options. These arguments are considered files if
     they are either the strings ``.''	or ``..'' or they contain a slash, or if there exists a file by that name.

EXAMPLES

     Assuming that there is no file called ``openafs.org'' in the current directory, and that /afs/openafs.org points to that cell, the follwing
     should be identical:

	   $ afslog -c openafs.org
	   $ afslog openafs.org
	   $ afslog /afs/openafs.org/some/file

SEE ALSO

     krb_afslog(3)

HEIMDAL 
							 November 26, 2002							   HEIMDAL
Man Page