AW: AW: [OpenAFS] AFS authentication against Active Directory & MIT Kerberos V

Derek Atkins openafs-info@openafs.org
15 Apr 2002 20:13:10 -0400 

First, Please CC openafs-info; others may be able to help.

That being said....  Note that you need both principals:

krbtgt/HILARENHAUS.HILARITAS.DE@LINUX.HILARENHAUS.HILARITAS.DE
krbtgt/LINUX.HILARENHAUS.HILARITAS.DE@HILARENHAUS.HILARITAS.DE

in BOTH realms in order to get cross-realm to work properly!
Or, at least, you need to have the correct set of keys, and
honestly I can never remember which set you need in order
to jump from realm A to realm B.

Also note that the keys and KVNOs need to match.

If these do not match, then yes, that could be the cause of your
problem.

After you aklog, what happens if you 'klist'?

-derek

"Fabian Aichele" <faichele@primusnetz.de> writes:

> Hello!
> 
> Sorry for the delay.
> Which kind of shared key? Host key?
> Keys for the krbtgt principals? I accidentally stumbled over this in the
> Kerberos FAQ at
> http://www.faqs.org/faqs/kerberos-faq/general/section-48.html.
> When I first established the inter-real m trust between my Linux and my
> Windows realm, I created the principals
> krbtgt/HILARENHAUS.HILARITAS.DE@LINUX.HILARENHAUS.HILARITAS.DE (in the Linux
> realm)
> krbtgt/LINUX.HILARENHAUS.HILARITAS.DE@HILARENHAUS.HILARITAS.DE (in the
> Windows realm),
> but I did not exchange these principal's keys in the way the FAQ describes.
> Is it that what causes the "permission denied so unable to create remote PTS
> user" error?
> 
> 
> >Do you have a shared key between the two kerberos realms?
> 
> >-derek
> 
> >>"Fabian Aichele" <faichele@primusnetz.de> writes:
> 
> >> Hello!
> >>
> >> All right, I created the the system:authuser@hilarenhaus.hilaritas.de
> group,
> >> and I also added my MIT Kerberos host as KDC to my Windows realm
> definition
> >> in krb5.conf. These two steps did the trick, I get AFS tokens with my
> >> foreign user account!
> >> There is still a little "flaw". aklog sets my tokens correctly, but the
> user
> >> id it uses is still 32766 (anyuser, shouldn't that be different?), and
> >>
> >> <snip from "aklog -d">
> >> doing fist-time registration of <user>@hilarenhaus.hilaritas.de at
> >> linux.hilarenhaus.hilaritas.de
> >> aklog: permission denied so unable to create remote PTS user
> >> <user>@hilarenhaus.hilaritas.de in cell linux.hilarenhaus.hilaritas.de
> >> (status: 267269).
> >> </snip>
> >>
> >> So this probably means that something is missing some administrative
> >> privileges, but: Who/what exactly needs which privileges?
> >>
> >> After all those issues, it is probably time to write a verbose HOWTO on
> the
> >> topic AFS/Kerberos/Active Directory...
> >>
> >> Thank you for your tips,
> >> Fabian Aichele
> 
> 
> 

-- 
       Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory
       Member, MIT Student Information Processing Board  (SIPB)
       URL: http://web.mit.edu/warlord/    PP-ASEL-IA     N1NWH
       warlord@MIT.EDU                        PGP key available