diff --git a/doc/man-pages/pod5/krb.conf.pod b/doc/man-pages/pod5/krb.conf.pod index cf875d2d0b..5d02a40199 100644 --- a/doc/man-pages/pod5/krb.conf.pod +++ b/doc/man-pages/pod5/krb.conf.pod @@ -13,6 +13,10 @@ then this file can be omitted. krb.conf is only needed when the Kerberos5 realm does not match the cell name or multiple Kerberos5 realms authenticate to the same AFS cell. +=head1 SEE ALSO + +L + =head1 COPYRIGHT Copyright 2008 Jason Edgecombe diff --git a/doc/man-pages/pod5/krb.excl.pod b/doc/man-pages/pod5/krb.excl.pod new file mode 100644 index 0000000000..3ce09d6387 --- /dev/null +++ b/doc/man-pages/pod5/krb.excl.pod @@ -0,0 +1,62 @@ +=head1 NAME + +krb.excl - Lists exclusions for mapping kerberos principals to AFS identities + +=head1 DESCRIPTION + +F is an optional file that resides on an OpenAFS +server and is used to list exceptions to the algorithm of mapping kerberos +principals to AFS identities. It contains the name of one or more +principals; each principal should be on a line by itself. If a principal +appears in this file, that principal will never be recognized by an +OpenAFS server as a local identity, even if the realm is specified as a +local realm in L. + +The principal names specified in this file must include the realm, and +should be in Kerberos 4 format. That is, specify C, not +C, C, nor C. + +=head1 RATIONALE + +It is possible to use the L configuration file to specify +that multiple Kerberos realms can be considered `local' realms by OpenAFS +fileservers, and those realms can be used nearly interchangeably. A site +may list C and C to allow users to +access AFS by using Kerberos tickets from either C or +C, and be treated as AFS users local to that cell. + +In many setups, one realm is really a `local' realm that is managed by the +AFS administrators, and another `foreign' realm is specified in +F that is managed by someone else, but in the same organization. +In such a case, the principal names for users are the same, so users +should be able to use either realm to authenticate to AFS. However, the +principals for administrators are not the same between the two realms, and +so the administrators in the `foreign' realm should not be considered AFS +administrators. Specifying the administrator principals in the `foreign' +realm prevents this, but still allows users to use either realm. + +=head1 EXAMPLES + +The realms C and C are configured to both +be local realms, but C should not be used by AFS +administrators. The AFS administrators are C and C. +F contains: + + admin@AD.EXAMPLE.COM + smith.admin@AD.EXAMPLE.COM + +Now if someone authenticates with tickets for C, +they will not be recognized as the C AFS identity. However, +C will be treated as the C AFS identity, and +C will still be treated as C. + +=head1 SEE ALSO + +L + +=head1 COPYRIGHT + +Copyright 2010 Sine Nomine Associates + +This documentation is covered by the BSD License as written in the +doc/LICENSE file. This man page was written by Andrew Deason for OpenAFS.