AW: [OpenAFS] AFS authentication against Active Directory & MIT Kerberos V
Fabian Aichele
faichele@primusnetz.de
Sun, 14 Apr 2002 22:23:25 +0200
Hello!
All right, I created the the system:authuser@hilarenhaus.hilaritas.de group,
and I also added my MIT Kerberos host as KDC to my Windows realm definition
in krb5.conf. These two steps did the trick, I get AFS tokens with my
foreign user account!
There is still a little "flaw". aklog sets my tokens correctly, but the user
id it uses is still 32766 (anyuser, shouldn't that be different?), and
<snip from "aklog -d">
doing fist-time registration of <user>@hilarenhaus.hilaritas.de at
linux.hilarenhaus.hilaritas.de
aklog: permission denied so unable to create remote PTS user
<user>@hilarenhaus.hilaritas.de in cell linux.hilarenhaus.hilaritas.de
(status: 267269).
</snip>
So this probably means that something is missing some administrative
privileges, but: Who/what exactly needs which privileges?
After all those issues, it is probably time to write a verbose HOWTO on the
topic AFS/Kerberos/Active Directory...
Thank you for your tips,
Fabian Aichele
>>"Fabian Aichele" <faichele@primusnetz.de> writes:
>> Hello!
>>
>> Thank you for answering.
>> Sorry, but I didn't mention: I have two Kerberos realms, but only ONE AFS
>> cell.
>That's ok. This is still "cross-cell authentication", where you have
>one kerberos realm that is equal to your cellname and other which is
>not. Users in the "foreign" kerberos realm behave as foreign AFS
>users, but can still authenticate.
>> The two realms are HILARENHAUS.HILARITAS.DE and
>> LINUX.HILARENHAUS.HILARITAS.DE, the AFS cell is named
>> linux.hilarenhaus.hilaritas.de and uses the MIT Kerberos server that
>> controls LINUX.HILARENHAUS.HILARITAS.DE as authentication source.
>> Is it possible to make AFS accept user principals from both realms
(provided
>> the according pts entries exist)? Or must I use an AFS cell that has
>> exactly the same name as my Kerberos realm?
>I don't know if OpenAFS has the code to treat multiple Kerberos Realms
>as equivalent. The only issue with using this code (if it exists) is
>that userX@REALM1 and userX@REALM2 are assumed to be the same user,
>which means you have to make sure that the two kerberos realms have a
>flat namespace.
>What I was saying earlier about cross-cell Authentication is the
>easier route to use, and works just fine in your current environment.
>Just create your cross-cell group in AFS using your administrator tokens:
> pts creategroup system:authuser@hilarenhaus.hilaritas.de \
> system:administrators -cell linux.hilarenhaus.hilaritas.dev
>Then try your aklog again as your foreign user.
>-derek
>--
> Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory
> Member, MIT Student Information Processing Board (SIPB)
> URL: http://web.mit.edu/warlord/ PP-ASEL-IA N1NWH
> warlord@MIT.EDU PGP key available