[OpenAFS] one afs/cell.domain princs per realm

Douglas E. Engert deengert@anl.gov
Wed, 27 Aug 2003 11:20:11 -0500 

Ken Hornstein wrote:
> 
> >In order to make the TTU.EDU princs appear local I had the
> >administrators of TTU.EDU create an afs/cs.ttu.edu@TTU.EDU in the
> >windows AD/Kerberos realm. It's not a v4 ticket obviously, but it was
> >created as DES-CBC-CRC. They don't run krb524 so I've tried to run one
> >locally using a keytab file containing afs/cs.ttu.edu for both realm
> >and point my clients to it. Things were running fine when I was only
> >using the afs/cs.ttu.edu@CS.TTU.EDU and the normal krb524 with -X
> >(crossrealm).
> 
> Well, the -X means "allow _V4_ crossrealm", which opens up a really big
> security hole.  But hey, that's you realm, not mine :-/
> 
> The real problem is that what you're doing is unfortunately doomed to
> failure.
> 
> The only way principals appear "local" to AFS is if the realm in
> their Kerberos ticket matches the Kerberos realm defined for the AFS
> server.  By default, the realm of the cell is the cell name.  You can
> change the realm, but the real problem is that you're only allowed _one_
> realm for an AFS cell to be in.  So you have two choices to do what
> you want:
> 
> - Hack your 524 ticket converter to rewrite that foreign realm's tickets
>   to have the "right" realm.  There's been code floating around to do
>   that; I personally think that's scary, because of name collisions, but
>   it's an option.
> - Just use the TTU.EDU realm.  To do _that_ you have three options:
> 
>   - Convince them to run krb524.  I don't really understand why they wouldn't,
>     but some people are a bit crazy.
>   - Run it yourself, using a keytab they give you.  This means that you'll
>     have to change aklog to point to "your" 524 converter (by default it
>     uses one on the KDC).
>   - Change aklog to simply mangle the V5 ticket appropriately.  See the
>     mailing list archives for the discussion on this.  If you do
>     this, Derrick Brashear will curse you until the day he dies, but
>     he does that for _so_ many people, I think the effect is getting
>     kinda diluted :-)

Or just run the gssklog as it can map multiple realms to the same AFS cell.
and can map individual usees as well. It uses spererate keys for the 
authnetication vs the encryption of the ticket in the AFS token
and the client has no problems finding the servers.


> 
> --Ken
> _______________________________________________
> OpenAFS-info mailing list
> OpenAFS-info@openafs.org
> https://lists.openafs.org/mailman/listinfo/openafs-info

-- 

 Douglas E. Engert  <DEEngert@anl.gov>
 Argonne National Laboratory
 9700 South Cass Avenue
 Argonne, Illinois  60439 
 (630) 252-5444