[OpenAFS] AFS authentication against Active Directory & MIT Kerberos V

Derek Atkins openafs-info@openafs.org
14 Apr 2002 10:36:42 -0400 

Do you have the AFS group "system:authuser@hilarenhaus.hilaritas.de"
setup on your system?

What's going on is that aklog is trying to setup a cross-cell
authentication to your AFS cell, but you don't have the appropriate
cross-cell group setup up properly to allow cross-cell auth.

-derek

"Fabian Aichele" <faichele@primusnetz.de> writes:

> Hello!
> 
> A while ago I asked for help with using MIT Kerberos as authentication
> source for AFS, which I got to work thanks to the tips I got from the list.
> I run a small heterogenous LAN (mainly M$ Windows stations, a few Linux
> stations), and my ultimate goal would be to achieve a "single source of
> authentication" so that all my users only have to remember, change etc. one
> password, and to centralize user account management.
> After quite a lot of searching I successfully got the Linux stations to
> authenticate against the Windows 2000 Active Directory server, while getting
> their user home directories from a Linux host running an OpenAFS server
> authenticating against a MIT Kerberos server on the same host.
> This works fine, as long as I create user principals under Windows 2000 as
> well as on the MIT Kerberos server AND "force" my users to manually keep
> their passwords in sync when changing them; not a satisfying solution in the
> long run.
> After some further experimenting I successfully established an inter-realm
> trust between my two kerberos realms
> HILARENHAUS.HILARITAS.DE (the Windows 2000 Server) and
> LINUX.HILARENHAUS.HILARITAS.DE (the Linux server which also runs AFS)
> The name of my (private) AFS cell is linux.hilarenhaus.hilaritas.de.
> The server AFS and MIT Kerberos run on is configured with
> 	default_realm = HILARENHAUS.HILARITAS.DE (Windows 2000 realm)
> 
> Now, if I try to obtain AFS tokens:
> 
> #-> kinit <user>@HILARENHAUS.HILARITAS.DE
> ...
> 
> Correctly gives me Kerberos tickets in the Windows 2000 realm
> 
> #-> aklog -d
> Authenticating to cell linux.hilarenhaus.hilaritas.de (server
> aladar.linux.hilarenhaus.hilaritas.de)
> We've decuced that we need to authenticate to realm
> LINUX.HILARENHAUS.HILARITAS.DE
> Getting tickets:
> afs/linux.hilarenhaus.hilaritas.de@LINUX.HILARENHAUS.HILARITAS.DE
> About to resolve name <user>@HILARENHAUS.HILARITAS.DE to id in cell
> linux.hilarenhaus.hilaritas.de
> ID 32766
> Doing first-time registration of <user>@hilarenhaus.hilaritas.de at
> linux.hilarenhaus.hilaritas.de
> aklog: Badly formed name (group prefix doesn't match owner?) so unable to
> create remote PTS user <user>@hilarenhaus.hilaritas.de in cell
> linux.hilarenhaus.hilaritas.de (status: 267272).
> Set username to <user>@hilarenhaus.hilaritas.de
> Setting tokens. <user>@hilarenhaus.hilaritas.de/ @HILARENHAUS.HILARITAS.DE
> 
> Seems like AFS is not able to determine a correct PTS user id (since it uses
> ID 32766 which is "system:anyuser"?).
> Obviously AFS searches for the cell hilarenhaus.hilaritas.de which does not
> exist.
> So, how do I tell AFS to append linux.hilarenhaus.hilaritas.de as AFS cell
> name for users that authenticate from the Kerberos realm
> HILARENHAUS.HILARITAS.DE? Is that possible at all? Or do I have to redo the
> AFS setup with the cell name hilarenhaus.hilaritas.de?
> Problem is, when I abandon my MIT Kerberos Server entirely, where do I my
> Kerberos 4 tickets aklog requires from? Windows 2000 Kerberos can't produce
> them.
> 
> Any hints or tips are appreciated.
> 
> Regards,
> Fabian Aichele
> 
> _______________________________________________
> OpenAFS-info mailing list
> OpenAFS-info@openafs.org
> https://lists.openafs.org/mailman/listinfo/openafs-info

-- 
       Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory
       Member, MIT Student Information Processing Board  (SIPB)
       URL: http://web.mit.edu/warlord/    PP-ASEL-IA     N1NWH
       warlord@MIT.EDU                        PGP key available