[OpenAFS] Manually Creating Cross Realm Users
Chris McClimans
openafs-info@mcclimans.net
Tue, 29 Jul 2003 07:48:31 -0500
Is there a way to create an afs service principle and get the
appropriate keytab files out of a Microsoft win2k KDC?
I am not in administration for the remote KDC, and don't have a
user/admin principle on the MS KDC.
For example:
mccliman@oak:~$ /usr/sbin/kadmin -r TTU.EDU -p username@TTU.EDU
Authenticating as principal username@TTU.EDU with password.
Enter password:
kadmin: Databasetd: recv suboption NAWS 0 100 (100) 0 53 (53)e
initializing kadmin interface
What other methods do I have to work with to get a working
afs/my.cell.edu@WINDOWS.REALM.
Is there a way to generate a keytab/afskey based on the known password
in the KDC for that principle?
-chris
On Friday, July 25, 2003, at 11:57 PM, Derek Atkins wrote:
> Chris McClimans <Chris.McClimans@ttu.edu> writes:
>
>> Does this mean that the pts entry would be username for the principal
>> username@REMOTE.REALM and I could pts createuser username -id 12345?
>> -chris
>
> Asuming you make "REMOTE.REALM" the kerberos realm for your cell, and
> obtain a key, afs/your.cell@REMOTE.REALM... For a user with a
> kerberos principal of username@REMOTE.REALM you would give them a pts
> name of "username" and you can assign them an id of whatever you want.
>
> e.g.:
>
> klist
> ...
> Default principal: warlord@ATHENA.MIT.EDU
> ...
> 07/26/03 00:39:12 07/26/03 10:39:12 afs.athena.mit.edu@ATHENA.MIT.EDU
> 07/26/03 00:39:12 07/26/03 10:39:12 afs.sipb.mit.edu@ATHENA.MIT.EDU
> ...
>
> tokens
> User's (AFS ID 9661) tokens for afs@sipb.mit.edu [Expires Jul 26 10:39]
> User's (AFS ID 9661) tokens for afs@athena.mit.edu [Expires Jul 26
> 10:39]
> ...
> --> pts exa 9661 -c sipb
> Name: warlord, id: 9661, owner: system:administrators, creator: ...
>
> -derek
>
> --
> Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory
> Member, MIT Student Information Processing Board (SIPB)
> URL: http://web.mit.edu/warlord/ PP-ASEL-IA N1NWH
> warlord@MIT.EDU PGP key available