AW: [OpenAFS] AFS authentication against Active Directory & MIT Kerberos V

[Fabian Aichele]

Hello!

All right, I created the the system:authuser@hilarenhaus.hilaritas.de group,
and I also added my MIT Kerberos host as KDC to my Windows realm definition
in krb5.conf. These two steps did the trick, I get AFS tokens with my
foreign user account!
There is still a little "flaw". aklog sets my tokens correctly, but the user
id it uses is still 32766 (anyuser, shouldn't that be different?), and

<snip from "aklog -d">
doing fist-time registration of <user>@hilarenhaus.hilaritas.de at
linux.hilarenhaus.hilaritas.de
aklog: permission denied so unable to create remote PTS user
<user>@hilarenhaus.hilaritas.de in cell linux.hilarenhaus.hilaritas.de
(status: 267269).
</snip>

So this probably means that something is missing some administrative
privileges, but: Who/what exactly needs which privileges?

After all those issues, it is probably time to write a verbose HOWTO on the
topic AFS/Kerberos/Active Directory...

Thank you for your tips,
Fabian Aichele

>>"Fabian Aichele" <faichele@primusnetz.de> writes:

>> Hello!
>>
>> Thank you for answering.
>> Sorry, but I didn't mention: I have two Kerberos realms, but only ONE AFS
>> cell.

>That's ok.  This is still "cross-cell authentication", where you have
>one kerberos realm that is equal to your cellname and other which is
>not.  Users in the "foreign" kerberos realm behave as foreign AFS
>users, but can still authenticate.

>> The two realms are HILARENHAUS.HILARITAS.DE and
>> LINUX.HILARENHAUS.HILARITAS.DE, the AFS cell is named
>> linux.hilarenhaus.hilaritas.de and uses the MIT Kerberos server that
>> controls LINUX.HILARENHAUS.HILARITAS.DE as authentication source.
>> Is it possible to make AFS accept user principals from both realms
(provided
>> the according pts entries exist)? Or must I use an AFS cell that   has
>> exactly the same name as my Kerberos realm?

>I don't know if OpenAFS has the code to treat multiple Kerberos Realms
>as equivalent.  The only issue with using this code (if it exists) is
>that userX@REALM1 and userX@REALM2 are assumed to be the same user,
>which means you have to make sure that the two kerberos realms have a
>flat namespace.

>What I was saying earlier about cross-cell Authentication is the
>easier route to use, and works just fine in your current environment.

>Just create your cross-cell group in AFS using your administrator tokens:

>        pts creategroup system:authuser@hilarenhaus.hilaritas.de \
>                system:administrators -cell linux.hilarenhaus.hilaritas.dev

>Then try your aklog again as your foreign user.

>-derek

>--
>       Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory
>       Member, MIT Student Information Processing Board  (SIPB)
>       URL: http://web.mit.edu/warlord/    PP-ASEL-IA     N1NWH
>       warlord@MIT.EDU                        PGP key available