Man page or keyword search:   man All Sections 1 - General Commands 2 - System Calls 3 - Subroutines, Functions 4 - Special Files 5 - File Formats 6 - Games and Screensavers 7 - Macros and Conventions 8 - Maintenence Commands 9 - Kernel Interface New Commands Server 4.4BSD AIX Alpinelinux Archlinux Aros BSDOS BSDi Bifrost CentOS Cygwin Darwin Debian DigitalUNIX DragonFly ElementaryOS Fedora FreeBSD Gentoo GhostBSD HP-UX Haiku Hurd IRIX Inferno JazzOS Kali Knoppix LinuxMint MacOSX Mageia Mandriva Manjaro Minix MirBSD NeXTSTEP NetBSD OPENSTEP OSF1 OpenBSD OpenDarwin OpenIndiana OpenMandriva OpenServer OpenSuSE OpenVMS Oracle PC-BSD Peanut Pidora Plan9 QNX Raspbian RedHat Scientific Slackware SmartOS Solaris SuSE SunOS Syllable Tru64 UNIXv7 Ubuntu Ultrix UnixWare Xenix YellowDog aLinux   26626 pages apropos Keyword Search (all sections) Output format html ascii pdf view pdf save postscript

KRB.EXCL(5)		      AFS File Reference		   KRB.EXCL(5)

NAME
       krb.excl - Lists exclusions for mapping kerberos principals to AFS
       identities

DESCRIPTION
       /usr/afs/etc/krb.excl is an optional file that resides on an OpenAFS
       server and is used to list exceptions to the algorithm of mapping
       kerberos principals to AFS identities. It contains the name of one or
       more principals; each principal should be on a line by itself. If a
       principal appears in this file, that principal will never be recognized
       by an OpenAFS server as a local identity, even if the realm is
       specified as a local realm in krb.conf(5).

       The principal names specified in this file must include the realm, and
       should be in Kerberos 4 format. That is, specify "user.inst@REALM", not
       "user/inst@REALM", "user.inst", nor "user/inst".

RATIONALE
       It is possible to use the krb.conf(5) configuration file to specify
       that multiple Kerberos realms can be considered `local' realms by
       OpenAFS fileservers, and those realms can be used nearly
       interchangeably. A site may list "FOO.EXAMPLE.COM" and
       "BAR.EXAMPLE.COM" to allow users to access AFS by using Kerberos
       tickets from either "FOO.EXAMPLE.COM" or "BAR.EXAMPLE.COM", and be
       treated as AFS users local to that cell.

       In many setups, one realm is really a `local' realm that is managed by
       the AFS administrators, and another `foreign' realm is specified in
       krb.conf that is managed by someone else, but in the same organization.
       In such a case, the principal names for users are the same, so users
       should be able to use either realm to authenticate to AFS.  However,
       the principals for administrators are not the same between the two
       realms, and so the administrators in the `foreign' realm should not be
       considered AFS administrators. Specifying the administrator principals
       in the `foreign' realm prevents this, but still allows users to use
       either realm.

EXAMPLES
       The realms "FOO.EXAMPLE.COM" and "AD.EXAMPLE.COM" are configured to
       both be local realms, but "AD.EXAMPLE.COM" should not be used by AFS
       administrators. The AFS administrators are "admin" and "smith.admin".
       krb.excl contains:

	  admin@AD.EXAMPLE.COM
	  smith.admin@AD.EXAMPLE.COM

       Now if someone authenticates with tickets for
       "smith/admin@AD.EXAMPLE.COM", they will not be recognized as the
       "smith.admin" AFS identity. However, "smith@AD.EXAMPLE.COM" will be
       treated as the "smith" AFS identity, and "smith/admin@FOO.EXAMPLE.COM"
       will still be treated as "smith.admin".

SEE ALSO
       krb.conf(5)

COPYRIGHT
       Copyright 2010 Sine Nomine Associates

       This documentation is covered by the BSD License as written in the
       doc/LICENSE file. This man page was written by Andrew Deason for
       OpenAFS.

OpenAFS				  2013-10-09			   KRB.EXCL(5)

Vote for polarhome