[OpenAFS] AFS authentication against Active Directory & MIT Kerberos V

Fabian Aichele faichele@primusnetz.de
Sun, 14 Apr 2002 14:44:01 +0200


Hello!

A while ago I asked for help with using MIT Kerberos as authentication
source for AFS, which I got to work thanks to the tips I got from the list.
I run a small heterogenous LAN (mainly M$ Windows stations, a few Linux
stations), and my ultimate goal would be to achieve a "single source of
authentication" so that all my users only have to remember, change etc. one
password, and to centralize user account management.
After quite a lot of searching I successfully got the Linux stations to
authenticate against the Windows 2000 Active Directory server, while getting
their user home directories from a Linux host running an OpenAFS server
authenticating against a MIT Kerberos server on the same host.
This works fine, as long as I create user principals under Windows 2000 as
well as on the MIT Kerberos server AND "force" my users to manually keep
their passwords in sync when changing them; not a satisfying solution in the
long run.
After some further experimenting I successfully established an inter-realm
trust between my two kerberos realms
HILARENHAUS.HILARITAS.DE (the Windows 2000 Server) and
LINUX.HILARENHAUS.HILARITAS.DE (the Linux server which also runs AFS)
The name of my (private) AFS cell is linux.hilarenhaus.hilaritas.de.
The server AFS and MIT Kerberos run on is configured with
	default_realm = HILARENHAUS.HILARITAS.DE (Windows 2000 realm)

Now, if I try to obtain AFS tokens:

#-> kinit <user>@HILARENHAUS.HILARITAS.DE
...

Correctly gives me Kerberos tickets in the Windows 2000 realm

#-> aklog -d
Authenticating to cell linux.hilarenhaus.hilaritas.de (server
aladar.linux.hilarenhaus.hilaritas.de)
We've decuced that we need to authenticate to realm
LINUX.HILARENHAUS.HILARITAS.DE
Getting tickets:
afs/linux.hilarenhaus.hilaritas.de@LINUX.HILARENHAUS.HILARITAS.DE
About to resolve name <user>@HILARENHAUS.HILARITAS.DE to id in cell
linux.hilarenhaus.hilaritas.de
ID 32766
Doing first-time registration of <user>@hilarenhaus.hilaritas.de at
linux.hilarenhaus.hilaritas.de
aklog: Badly formed name (group prefix doesn't match owner?) so unable to
create remote PTS user <user>@hilarenhaus.hilaritas.de in cell
linux.hilarenhaus.hilaritas.de (status: 267272).
Set username to <user>@hilarenhaus.hilaritas.de
Setting tokens. <user>@hilarenhaus.hilaritas.de/ @HILARENHAUS.HILARITAS.DE

Seems like AFS is not able to determine a correct PTS user id (since it uses
ID 32766 which is "system:anyuser"?).
Obviously AFS searches for the cell hilarenhaus.hilaritas.de which does not
exist.
So, how do I tell AFS to append linux.hilarenhaus.hilaritas.de as AFS cell
name for users that authenticate from the Kerberos realm
HILARENHAUS.HILARITAS.DE? Is that possible at all? Or do I have to redo the
AFS setup with the cell name hilarenhaus.hilaritas.de?
Problem is, when I abandon my MIT Kerberos Server entirely, where do I my
Kerberos 4 tickets aklog requires from? Windows 2000 Kerberos can't produce
them.

Any hints or tips are appreciated.

Regards,
Fabian Aichele