AW: [OpenAFS] AFS authentication against Active Directory & MIT Kerberos V
Derek Atkins
warlord@MIT.EDU
14 Apr 2002 17:24:53 -0400
Do you have a shared key between the two kerberos realms?
-derek
"Fabian Aichele" <faichele@primusnetz.de> writes:
> Hello!
>
> All right, I created the the system:authuser@hilarenhaus.hilaritas.de group,
> and I also added my MIT Kerberos host as KDC to my Windows realm definition
> in krb5.conf. These two steps did the trick, I get AFS tokens with my
> foreign user account!
> There is still a little "flaw". aklog sets my tokens correctly, but the user
> id it uses is still 32766 (anyuser, shouldn't that be different?), and
>
> <snip from "aklog -d">
> doing fist-time registration of <user>@hilarenhaus.hilaritas.de at
> linux.hilarenhaus.hilaritas.de
> aklog: permission denied so unable to create remote PTS user
> <user>@hilarenhaus.hilaritas.de in cell linux.hilarenhaus.hilaritas.de
> (status: 267269).
> </snip>
>
> So this probably means that something is missing some administrative
> privileges, but: Who/what exactly needs which privileges?
>
> After all those issues, it is probably time to write a verbose HOWTO on the
> topic AFS/Kerberos/Active Directory...
>
> Thank you for your tips,
> Fabian Aichele
>
> >>"Fabian Aichele" <faichele@primusnetz.de> writes:
>
> >> Hello!
> >>
> >> Thank you for answering.
> >> Sorry, but I didn't mention: I have two Kerberos realms, but only ONE AFS
> >> cell.
>
> >That's ok. This is still "cross-cell authentication", where you have
> >one kerberos realm that is equal to your cellname and other which is
> >not. Users in the "foreign" kerberos realm behave as foreign AFS
> >users, but can still authenticate.
>
> >> The two realms are HILARENHAUS.HILARITAS.DE and
> >> LINUX.HILARENHAUS.HILARITAS.DE, the AFS cell is named
> >> linux.hilarenhaus.hilaritas.de and uses the MIT Kerberos server that
> >> controls LINUX.HILARENHAUS.HILARITAS.DE as authentication source.
> >> Is it possible to make AFS accept user principals from both realms
> (provided
> >> the according pts entries exist)? Or must I use an AFS cell that has
> >> exactly the same name as my Kerberos realm?
>
> >I don't know if OpenAFS has the code to treat multiple Kerberos Realms
> >as equivalent. The only issue with using this code (if it exists) is
> >that userX@REALM1 and userX@REALM2 are assumed to be the same user,
> >which means you have to make sure that the two kerberos realms have a
> >flat namespace.
>
> >What I was saying earlier about cross-cell Authentication is the
> >easier route to use, and works just fine in your current environment.
>
> >Just create your cross-cell group in AFS using your administrator tokens:
>
> > pts creategroup system:authuser@hilarenhaus.hilaritas.de \
> > system:administrators -cell linux.hilarenhaus.hilaritas.dev
>
> >Then try your aklog again as your foreign user.
>
> >-derek
>
> >--
> > Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory
> > Member, MIT Student Information Processing Board (SIPB)
> > URL: http://web.mit.edu/warlord/ PP-ASEL-IA N1NWH
> > warlord@MIT.EDU PGP key available
>
>
>
> _______________________________________________
> OpenAFS-info mailing list
> OpenAFS-info@openafs.org
> https://lists.openafs.org/mailman/listinfo/openafs-info
--
Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory
Member, MIT Student Information Processing Board (SIPB)
URL: http://web.mit.edu/warlord/ PP-ASEL-IA N1NWH
warlord@MIT.EDU PGP key available