[OpenAFS] AFS authentication against Active Directory & MIT Kerberos
V
Douglas E. Engert
deengert@anl.gov
Mon, 15 Apr 2002 11:21:13 -0500
One way to think about this is the AFS cell is willing to accept
authentication from multiple Kerberos V realms. The AFS cell is thus not
in one realm. Think of the AFS cell as not the same as a Kerberos V realm.
We do something like what you are doing with a W2K domain with most users,
and an MIT realm for some users and unix hosts. (We used to have a DCE cell
as well.) See the partial diff file below.
But we also have some additional mods to krb524 and krb524d so as to
only use the K5 protocols, and to separate the K5 keys from the
AFS keys. This allows us to have two (three when we had DCE) krb524ds
running, one (plus replicte) for each realm, which would return a token
for our AFS cell. Note that when a W2K user accesses AFS, he only uses the
W2K domain controller, as the KDC. He does not need the MIT realm we have at all.
A future enhancment is to not use krb524d at all, but rather a
gssklogd which uses GSSAPI for authentication and returns an AFS token.
If you want more info drop me a note.
Fabian Aichele wrote:
>
> Hello!
>
> A while ago I asked for help with using MIT Kerberos as authentication
> source for AFS, which I got to work thanks to the tips I got from the list.
> I run a small heterogenous LAN (mainly M$ Windows stations, a few Linux
> stations), and my ultimate goal would be to achieve a "single source of
> authentication" so that all my users only have to remember, change etc. one
> password, and to centralize user account management.
> After quite a lot of searching I successfully got the Linux stations to
> authenticate against the Windows 2000 Active Directory server, while getting
> their user home directories from a Linux host running an OpenAFS server
> authenticating against a MIT Kerberos server on the same host.
> This works fine, as long as I create user principals under Windows 2000 as
> well as on the MIT Kerberos server AND "force" my users to manually keep
> their passwords in sync when changing them; not a satisfying solution in the
> long run.
> After some further experimenting I successfully established an inter-realm
> trust between my two kerberos realms
> HILARENHAUS.HILARITAS.DE (the Windows 2000 Server) and
> LINUX.HILARENHAUS.HILARITAS.DE (the Linux server which also runs AFS)
> The name of my (private) AFS cell is linux.hilarenhaus.hilaritas.de.
> The server AFS and MIT Kerberos run on is configured with
> default_realm = HILARENHAUS.HILARITAS.DE (Windows 2000 realm)
>
> Now, if I try to obtain AFS tokens:
>
> #-> kinit <user>@HILARENHAUS.HILARITAS.DE
> ...
>
> Correctly gives me Kerberos tickets in the Windows 2000 realm
>
> #-> aklog -d
> Authenticating to cell linux.hilarenhaus.hilaritas.de (server
> aladar.linux.hilarenhaus.hilaritas.de)
> We've decuced that we need to authenticate to realm
> LINUX.HILARENHAUS.HILARITAS.DE
> Getting tickets:
> afs/linux.hilarenhaus.hilaritas.de@LINUX.HILARENHAUS.HILARITAS.DE
> About to resolve name <user>@HILARENHAUS.HILARITAS.DE to id in cell
> linux.hilarenhaus.hilaritas.de
> ID 32766
> Doing first-time registration of <user>@hilarenhaus.hilaritas.de at
> linux.hilarenhaus.hilaritas.de
> aklog: Badly formed name (group prefix doesn't match owner?) so unable to
> create remote PTS user <user>@hilarenhaus.hilaritas.de in cell
> linux.hilarenhaus.hilaritas.de (status: 267272).
> Set username to <user>@hilarenhaus.hilaritas.de
> Setting tokens. <user>@hilarenhaus.hilaritas.de/ @HILARENHAUS.HILARITAS.DE
>
> Seems like AFS is not able to determine a correct PTS user id (since it uses
> ID 32766 which is "system:anyuser"?).
> Obviously AFS searches for the cell hilarenhaus.hilaritas.de which does not
> exist.
> So, how do I tell AFS to append linux.hilarenhaus.hilaritas.de as AFS cell
> name for users that authenticate from the Kerberos realm
> HILARENHAUS.HILARITAS.DE? Is that possible at all? Or do I have to redo the
> AFS setup with the cell name hilarenhaus.hilaritas.de?
> Problem is, when I abandon my MIT Kerberos Server entirely, where do I my
> Kerberos 4 tickets aklog requires from? Windows 2000 Kerberos can't produce
> them.
>
> Any hints or tips are appreciated.
>
> Regards,
> Fabian Aichele
>
> _______________________________________________
> OpenAFS-info mailing list
> OpenAFS-info@openafs.org
> https://lists.openafs.org/mailman/listinfo/openafs-info
*** ,aklog_main.c Fri Jul 15 13:35:18 1994
--- aklog_main.c Tue Jul 24 08:34:08 2001
***************
*** 337,351 ****
}
}
else {
! if ((status = params.get_user_realm(realm_of_user)) != KSUCCESS) {
! sprintf(msgbuf, "%s: Couldn't determine realm of user: %s)",
! progname, krb_err_txt[status]);
params.pstderr(msgbuf);
return(AKLOG_KERBEROS);
}
if (strcmp(realm_of_user, realm_of_cell)) {
strcat(username, "@");
strcat(username, realm_of_user);
}
if (dflag) {
--- 457,483 ----
}
}
else {
! if ((status = params.get_user_realm(context, realm_of_user)) != KSUCCESS) {
! sprintf(msgbuf, "%s: Couldn't determine realm of user:)",
! progname);
params.pstderr(msgbuf);
+ com_err(progname, status, " while getting realm");
return(AKLOG_KERBEROS);
}
if (strcmp(realm_of_user, realm_of_cell)) {
+ #ifdef ANL_ONLY
+ if (!(!strcmp(realm_of_user,"ANL.GOV") ||
+ !strcmp(realm_of_user,"dce.anl.gov") ||
+ !strcmp(realm_of_user,"KRB5.ANL.GOV"))
+ ||
+ !(!strcmp(realm_of_cell,"ANL.GOV") ||
+ !strcmp(realm_of_cell,"dce.anl.gov") ||
+ !strcmp(realm_of_cell,"KRB5.ANL.GOV")))
+ #endif
+ {
strcat(username, "@");
strcat(username, realm_of_user);
+ }
}
if (dflag) {
--
Douglas E. Engert <DEEngert@anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444