[OpenAFS] Manually Creating Cross Realm Users

Chris McClimans openafs-info@mcclimans.net
Tue, 5 Aug 2003 07:27:59 -0500


There is no way to create a openafs server keytab from a password eh?
One thing here is that the kerberos realm administrators should not 
have administrative
authority over the afs/cell. If they create the keytab and send it to 
us. They could connect
to any of our afs services with administrative privileges. In our 
scenario we only trust the other kerberos
realm as an authentication source for users, not an administrative 
authority for anything else.

It looks like I'll have to hack ptserver to allow me to control the 
UID's and still use crossrealm
kerberos users.

Maybe I could hack the database offline? Does anyone have pointers to 
the format
or other suggestions?
-chris


On Tuesday, July 29, 2003, at 01:26  PM, Douglas E. Engert wrote:

>
>
> Chris McClimans wrote:
>>
>> Is there a way to create an afs service principle and get the
>> appropriate keytab files out of a Microsoft win2k KDC?
>> I am not in administration for the remote KDC, and don't have a
>> user/admin principle on the MS KDC.
>
> Technically if you don't have admin rights on the KDC you can never
> get the key. Thats the point of the key being the shared secret
> between the KDC and the server. The admin of the KDC needs to
> get involved to get you the secret as the representive of the service.
>
> See the MS ktpass command, which can produce a keytab, and is used by 
> the
> admin to set the service principal mapping. I think you can run it 
> locally.
>
>
>>
>> For example:
>>
>> mccliman@oak:~$ /usr/sbin/kadmin -r TTU.EDU -p username@TTU.EDU
>> Authenticating as principal username@TTU.EDU with password.
>> Enter password:
>> kadmin: Databasetd: recv suboption NAWS 0 100 (100) 0 53 (53)e
>> initializing kadmin interface
>>
>> What other methods do I have to work with to get a working
>> afs/my.cell.edu@WINDOWS.REALM.
>> Is there a way to generate a keytab/afskey based on the known password
>> in the KDC for that principle?
>> -chris
>>
>> On Friday, July 25, 2003, at 11:57  PM, Derek Atkins wrote:
>>
>>> Chris McClimans <Chris.McClimans@ttu.edu> writes:
>>>
>>>> Does this mean that the pts entry would be username for the 
>>>> principal
>>>> username@REMOTE.REALM and I could pts createuser username -id 12345?
>>>> -chris
>>>
>>> Asuming you make "REMOTE.REALM" the kerberos realm for your cell, and
>>> obtain a key, afs/your.cell@REMOTE.REALM...  For a user with a
>>> kerberos principal of username@REMOTE.REALM you would give them a pts
>>> name of "username" and you can assign them an id of whatever you 
>>> want.
>>>
>>> e.g.:
>>>
>>> klist
>>> ...
>>> Default principal: warlord@ATHENA.MIT.EDU
>>> ...
>>> 07/26/03 00:39:12  07/26/03 10:39:12  
>>> afs.athena.mit.edu@ATHENA.MIT.EDU
>>> 07/26/03 00:39:12  07/26/03 10:39:12  afs.sipb.mit.edu@ATHENA.MIT.EDU
>>> ...
>>>
>>> tokens
>>> User's (AFS ID 9661) tokens for afs@sipb.mit.edu [Expires Jul 26 
>>> 10:39]
>>> User's (AFS ID 9661) tokens for afs@athena.mit.edu [Expires Jul 26
>>> 10:39]
>>> ...
>>> --> pts exa 9661 -c sipb
>>> Name: warlord, id: 9661, owner: system:administrators, creator: ...
>>>
>>> -derek
>>>
>>> --
>>>        Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory
>>>        Member, MIT Student Information Processing Board  (SIPB)
>>>        URL: http://web.mit.edu/warlord/    PP-ASEL-IA     N1NWH
>>>        warlord@MIT.EDU                        PGP key available
>>
>> _______________________________________________
>> OpenAFS-info mailing list
>> OpenAFS-info@openafs.org
>> https://lists.openafs.org/mailman/listinfo/openafs-info
>
> -- 
>
>  Douglas E. Engert  <DEEngert@anl.gov>
>  Argonne National Laboratory
>  9700 South Cass Avenue
>  Argonne, Illinois  60439
>  (630) 252-5444
> _______________________________________________
> OpenAFS-info mailing list
> OpenAFS-info@openafs.org
> https://lists.openafs.org/mailman/listinfo/openafs-info
>