AFS server symlinks and Kerberos authentication

[Samuel L. Bayer]

All -

I'm running the latest Arla binary for MacOS X 10.1, against a local
AFS and Kerberos cell called, let's say, foo.mitre.org. The local
maintainers have set up a symlink in AFS space from foo.mitre.org to
foo, so that any client machine can access files via
/afs/foo.mitre.org/file or /afs/foo/file. The AFS client software we
use for RedHat Linux and Sparc Solaris is Transarc.

This symlink behavior seems to be transparent from the point of view
of the CellServDB file that each Linux and Solaris client has. That
is, the CellServDB file lists only foo.mitre.org, but /afs/foo is
available on all clients. Not on my MacOS X 10.1 box using the Arla
client, however. This is somewhat inconvenient, because we've also
enabled NIS on OS X, and some people have home directories in AFS
space, listed as /afs/foo/users/username, not
/afs/foo.mitre.org/users/username. Since the home directory doesn't
exist, the users can't log in.

I've tried a couple things to work around this. First, I changed all
the references to foo.mitre.org in /usr/arla/etc to foo. This allows
me to view /afs/foo as far down as system:anyuser can see, but I can't
klog (or kalog or aklog or anything); there's no Kerberos cell named
foo, and Arla doesn't know about foo.mitre.org anymore. Then I tried
changing everything back to foo.mitre.org, and adding foo as a
duplicate entry in CellServDB; this allows me to see both
/afs/foo.mitre.org and /afs/foo, but not as aliases. That is, when I
klog (well, only kalog works for me) to foo.mitre.org, I can see
protected files in /afs/foo.mitre.org, but not in /afs/foo. So this
isn't any good either.

According to my sysadmin, setting up these aliases on the server side
is recommended best practice in the IBM Transarc docs, so it would be
nice if Arla were to support it. Anybody have any ideas?

Thanks in advance -
Samuel Bayer
The MITRE Corporation
sam at mitre.org