[OpenAFS] Manually Creating Cross Realm Users

Chris McClimans openafs-info@mcclimans.net
Tue, 29 Jul 2003 13:56:00 -0500 

Thanks for the information Douglas.
I'll be getting with the administrators today and check out the ktpass 
command.

Now, since the KDC is now a Windows 2000 PDC etc. Where does the krb524 
daemon need to run? I assume we still need it somewhere in order for 
clients to get tokens. I doubt this is run by default on Microsoft's 
implementation ;)
-chris

On Tuesday, July 29, 2003, at 01:26  PM, Douglas E. Engert wrote:

>
>
> Chris McClimans wrote:
>>
>> Is there a way to create an afs service principle and get the
>> appropriate keytab files out of a Microsoft win2k KDC?
>> I am not in administration for the remote KDC, and don't have a
>> user/admin principle on the MS KDC.
>
> Technically if you don't have admin rights on the KDC you can never
> get the key. Thats the point of the key being the shared secret
> between the KDC and the server. The admin of the KDC needs to
> get involved to get you the secret as the representive of the service.
>
> See the MS ktpass command, which can produce a keytab, and is used by 
> the
> admin to set the service principal mapping. I think you can run it 
> locally.
>
>
>>
>> For example:
>>
>> mccliman@oak:~$ /usr/sbin/kadmin -r TTU.EDU -p username@TTU.EDU
>> Authenticating as principal username@TTU.EDU with password.
>> Enter password:
>> kadmin: Databasetd: recv suboption NAWS 0 100 (100) 0 53 (53)e
>> initializing kadmin interface
>>
>> What other methods do I have to work with to get a working
>> afs/my.cell.edu@WINDOWS.REALM.
>> Is there a way to generate a keytab/afskey based on the known password
>> in the KDC for that principle?
>> -chris
>>
>> On Friday, July 25, 2003, at 11:57  PM, Derek Atkins wrote:
>>
>>> Chris McClimans <Chris.McClimans@ttu.edu> writes:
>>>
>>>> Does this mean that the pts entry would be username for the 
>>>> principal
>>>> username@REMOTE.REALM and I could pts createuser username -id 12345?
>>>> -chris
>>>
>>> Asuming you make "REMOTE.REALM" the kerberos realm for your cell, and
>>> obtain a key, afs/your.cell@REMOTE.REALM...  For a user with a
>>> kerberos principal of username@REMOTE.REALM you would give them a pts
>>> name of "username" and you can assign them an id of whatever you 
>>> want.
>>>
>>> e.g.:
>>>
>>> klist
>>> ...
>>> Default principal: warlord@ATHENA.MIT.EDU
>>> ...
>>> 07/26/03 00:39:12  07/26/03 10:39:12  
>>> afs.athena.mit.edu@ATHENA.MIT.EDU
>>> 07/26/03 00:39:12  07/26/03 10:39:12  afs.sipb.mit.edu@ATHENA.MIT.EDU
>>> ...
>>>
>>> tokens
>>> User's (AFS ID 9661) tokens for afs@sipb.mit.edu [Expires Jul 26 
>>> 10:39]
>>> User's (AFS ID 9661) tokens for afs@athena.mit.edu [Expires Jul 26
>>> 10:39]
>>> ...
>>> --> pts exa 9661 -c sipb
>>> Name: warlord, id: 9661, owner: system:administrators, creator: ...
>>>
>>> -derek
>>>
>>> --
>>>        Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory
>>>        Member, MIT Student Information Processing Board  (SIPB)
>>>        URL: http://web.mit.edu/warlord/    PP-ASEL-IA     N1NWH
>>>        warlord@MIT.EDU                        PGP key available
>>
>> _______________________________________________
>> OpenAFS-info mailing list
>> OpenAFS-info@openafs.org
>> https://lists.openafs.org/mailman/listinfo/openafs-info
>
> -- 
>
>  Douglas E. Engert  <DEEngert@anl.gov>
>  Argonne National Laboratory
>  9700 South Cass Avenue
>  Argonne, Illinois  60439
>  (630) 252-5444