[OpenAFS] Re: OpenAFS and AD trusts

Danko Antolovic dantolov@indiana.edu
Tue, 19 Jul 2011 15:56:17 -0400

If I tell aklog to go after RESOURCE.NET explicitly, I end up with the 
same error that started this thread:

[root@afs1c afs]# aklog  -d  -c afs1.bedrock.iu.edu  -k  RESOURCE.NET
Authenticating to cell afs1.bedrock.iu.edu (server afs1.bedrock.iu.edu).
We were told to authenticate to realm RESOURCE.NET.
Getting tickets: afs/afs1.bedrock.iu.edu@RESOURCE.NET
Getting tickets: afs/afs1.bedrock.iu.edu@RESOURCE.NET
Kerberos error code returned by get_cred : -1765328228
aklog: Couldn't get afs1.bedrock.iu.edu AFS tickets:
aklog: unknown RPC error (-1765328228) while getting AFS tickets

This looks like AFS is trying to get the ticket from RESOURCE.NET, and 
fails with
"-1765328228 KRB5_KDC_UNREACH Cannot contact any KDC for requested realm"

Now, RESOURCE.NET does not authenticate users, but it knows about the 
service afs/afs1.bedrock.iu.edu, and the asetkey is derived from a 
keytab for RESOURCE.NET.


Andrew Deason wrote:
> On Tue, 19 Jul 2011 14:56:01 -0400
> "Danko Antolovic" <dantolov@indiana.edu> wrote:
>> You are correct, there is no dantolov@RESOURCE.NET; there is
>> dantolov@IU.EDU, and there is also a local user dantolov with AFS ID
>> 2.  I did not see  dantolov@iu.edu as a member of
>> system:authuser@iu.edu at any time. Are you saying that the presence
>> of the local user is the problem?
> No, but it's probably making this more confusing.
>> [root@afs1c afs]# aklog  -d  -c afs1.bedrock.iu.edu
>> Authenticating to cell afs1.bedrock.iu.edu (server afs1.bedrock.iu.edu).
>> Trying to authenticate to user's realm IU.EDU.
>> Getting tickets: afs/afs1.bedrock.iu.edu@IU.EDU
> I thought your afs service principal was
> afs/afs1.bedrock.iu.edu@RESOURCE.NET ? This is making aklog think you
> are not a foreign user, and so it's not trying the automatic
> registration thing.