AW: [OpenAFS] AFS authentication against Active Directory & MIT Kerberos V
Fabian Aichele
faichele@primusnetz.de
Sun, 14 Apr 2002 18:31:36 +0200
Hello!
Thank you for answering.
Sorry, but I didn't mention: I have two Kerberos realms, but only ONE AFS
cell.
The two realms are HILARENHAUS.HILARITAS.DE and
LINUX.HILARENHAUS.HILARITAS.DE, the AFS cell is named
linux.hilarenhaus.hilaritas.de and uses the MIT Kerberos server that
controls LINUX.HILARENHAUS.HILARITAS.DE as authentication source.
Is it possible to make AFS accept user principals from both realms (provided
the according pts entries exist)? Or must I use an AFS cell that has
exactly the same name as my Kerberos realm?
>From the few mailing list messages I found on my problem there seems to be a
simpler way to achieve what I'd like to do:
To use Windows 2000 Kerberos/LDAP as authentication source for my Unix
stations, and provide Kerberos 4 tickets from a krb524d that runs on my
Linux server. Did anyone get that to work?
Regards, Fabian Aichele
>Do you have the AFS group "system:authuser@hilarenhaus.hilaritas.de"
>setup on your system?
>
>What's going on is that aklog is trying to setup a cross-cell
>authentication to your AFS cell, but you don't have the appropriate
>cross-cell group setup up properly to allow cross-cell auth.
>
>-derek
>>Fabian Aichele" <faichele@primusnetz.de> writes:
>> Hello!
>>
>>A while ago I asked for help with using MIT Kerberos as authentication
>> source for AFS, which I got to work thanks to the tips I got from the
list.
>> I run a small heterogenous LAN (mainly M$ Windows stations, a few Linux
>> stations), and my ultimate goal would be to achieve a "single source of
>> authentication" so that all my users only have to remember, change etc.
one
>> password, and to centralize user account management.
>> After quite a lot of searching I successfully got the Linux stations to
>> authenticate against the Windows 2000 Active Directory server, while
getting
>> their user home directories from a Linux host running an OpenAFS server
>> authenticating against a MIT Kerberos server on the same host.
>> This works fine, as long as I create user principals under Windows 2000
as
>> well as on the MIT Kerberos server AND "force" my users to manually keep
>> their passwords in sync when changing them; not a satisfying solution in
the
>> long run.
>> After some further experimenting I successfully established an
inter-realm
>> trust between my two kerberos realms
>> HILARENHAUS.HILARITAS.DE (the Windows 2000 Server) and
>> LINUX.HILARENHAUS.HILARITAS.DE (the Linux server which also runs AFS)
>> The name of my (private) AFS cell is linux.hilarenhaus.hilaritas.de.
>> The server AFS and MIT Kerberos run on is configured with
>> default_realm = HILARENHAUS.HILARITAS.DE (Windows 2000 realm)
>>
>> Now, if I try to obtain AFS tokens:
>>
>> #-> kinit <user>@HILARENHAUS.HILARITAS.DE
>> ...
>>
>> Correctly gives me Kerberos tickets in the Windows 2000 realm
>>
>> #-> aklog -d
>> Authenticating to cell linux.hilarenhaus.hilaritas.de (server
>> aladar.linux.hilarenhaus.hilaritas.de)
>> We've decuced that we need to authenticate to realm
>> LINUX.HILARENHAUS.HILARITAS.DE
>> Getting tickets:
>> afs/linux.hilarenhaus.hilaritas.de@LINUX.HILARENHAUS.HILARITAS.DE
>> About to resolve name <user>@HILARENHAUS.HILARITAS.DE to id in cell
>> linux.hilarenhaus.hilaritas.de
>> ID 32766
>> Doing first-time registration of <user>@hilarenhaus.hilaritas.de at
>> linux.hilarenhaus.hilaritas.de
>> aklog: Badly formed name (group prefix doesn't match owner?) so unable to
>> create remote PTS user <user>@hilarenhaus.hilaritas.de in cell
>> linux.hilarenhaus.hilaritas.de (status: 267272).
>> Set username to <user>@hilarenhaus.hilaritas.de
>> Setting tokens. <user>@hilarenhaus.hilaritas.de/
@HILARENHAUS.HILARITAS.DE
>>
>> Seems like AFS is not able to determine a correct PTS user id (since it
uses
>> ID 32766 which is "system:anyuser"?).
>> Obviously AFS searches for the cell hilarenhaus.hilaritas.de which does
not
>> exist.
>> So, how do I tell AFS to append linux.hilarenhaus.hilaritas.de as AFS
cell
>> name for users that authenticate from the Kerberos realm
>> HILARENHAUS.HILARITAS.DE? Is that possible at all? Or do I have to redo
the
>> AFS setup with the cell name hilarenhaus.hilaritas.de?
>> Problem is, when I abandon my MIT Kerberos Server entirely, where do I my
>> Kerberos 4 tickets aklog requires from? Windows 2000 Kerberos can't
produce
>> them.
>>
>> Any hints or tips are appreciated.
>>
>> Regards,
>> Fabian Aichele