[OpenAFS] Manually Creating Cross Realm Users

Douglas E. Engert deengert@anl.gov
Tue, 29 Jul 2003 13:26:51 -0500


Chris McClimans wrote:
> 
> Is there a way to create an afs service principle and get the
> appropriate keytab files out of a Microsoft win2k KDC?
> I am not in administration for the remote KDC, and don't have a
> user/admin principle on the MS KDC.

Technically if you don't have admin rights on the KDC you can never
get the key. Thats the point of the key being the shared secret
between the KDC and the server. The admin of the KDC needs to
get involved to get you the secret as the representive of the service. 

See the MS ktpass command, which can produce a keytab, and is used by the
admin to set the service principal mapping. I think you can run it locally.
 

> 
> For example:
> 
> mccliman@oak:~$ /usr/sbin/kadmin -r TTU.EDU -p username@TTU.EDU
> Authenticating as principal username@TTU.EDU with password.
> Enter password:
> kadmin: Databasetd: recv suboption NAWS 0 100 (100) 0 53 (53)e
> initializing kadmin interface
> 
> What other methods do I have to work with to get a working
> afs/my.cell.edu@WINDOWS.REALM.
> Is there a way to generate a keytab/afskey based on the known password
> in the KDC for that principle?
> -chris
> 
> On Friday, July 25, 2003, at 11:57  PM, Derek Atkins wrote:
> 
> > Chris McClimans <Chris.McClimans@ttu.edu> writes:
> >
> >> Does this mean that the pts entry would be username for the principal
> >> username@REMOTE.REALM and I could pts createuser username -id 12345?
> >> -chris
> >
> > Asuming you make "REMOTE.REALM" the kerberos realm for your cell, and
> > obtain a key, afs/your.cell@REMOTE.REALM...  For a user with a
> > kerberos principal of username@REMOTE.REALM you would give them a pts
> > name of "username" and you can assign them an id of whatever you want.
> >
> > e.g.:
> >
> > klist
> > ...
> > Default principal: warlord@ATHENA.MIT.EDU
> > ...
> > 07/26/03 00:39:12  07/26/03 10:39:12  afs.athena.mit.edu@ATHENA.MIT.EDU
> > 07/26/03 00:39:12  07/26/03 10:39:12  afs.sipb.mit.edu@ATHENA.MIT.EDU
> > ...
> >
> > tokens
> > User's (AFS ID 9661) tokens for afs@sipb.mit.edu [Expires Jul 26 10:39]
> > User's (AFS ID 9661) tokens for afs@athena.mit.edu [Expires Jul 26
> > 10:39]
> > ...
> > --> pts exa 9661 -c sipb
> > Name: warlord, id: 9661, owner: system:administrators, creator: ...
> >
> > -derek
> >
> > --
> >        Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory
> >        Member, MIT Student Information Processing Board  (SIPB)
> >        URL: http://web.mit.edu/warlord/    PP-ASEL-IA     N1NWH
> >        warlord@MIT.EDU                        PGP key available
> 
> _______________________________________________
> OpenAFS-info mailing list
> OpenAFS-info@openafs.org
> https://lists.openafs.org/mailman/listinfo/openafs-info

-- 

 Douglas E. Engert  <DEEngert@anl.gov>
 Argonne National Laboratory
 9700 South Cass Avenue
 Argonne, Illinois  60439 
 (630) 252-5444