[OpenAFS] Manually Creating Cross Realm Users

Douglas E. Engert deengert@anl.gov
Tue, 29 Jul 2003 17:00:49 -0500


Chris McClimans wrote:
> 
> Thanks for the information Douglas.
> I'll be getting with the administrators today and check out the ktpass
> command.
> 
> Now, since the KDC is now a Windows 2000 PDC etc. Where does the krb524
> daemon need to run? I assume we still need it somewhere in order for
> clients to get tokens. I doubt this is run by default on Microsoft's
> implementation ;)

You can run it on some other machine. Krb5-1.3.x now has code
in the send524.c to look for a krb524_server= in the realms sesion of
the krb5.conffile  or the DNS SRV records for _KRB524  (I have not tried this yet.)

So the krb524d servers we are running for the W2K domain are run on
two unix boxes.  

We had a mod in previous versions of the src/krb524/sendmsg.c 
to look for krb524d= in the realms section of the krb5.conf file.
We will drop this mode for 1.3.x.

If you realy want the mode for the previous vrsion, drop me a note. 

Two other options if all you want is AFS tokens: 

  o Use gssklog. The deamons run on the AFS dtabase servers. The client
    can run on Windows or unix. It much simplier to configure. 

  o AFS 1.2.9 and above can use a K5 ticket, rather then a k4 ticket,
    which would mean that it does not need to be converted. (I am working
    on a msklog, that will run on W2K and above, and use the built in
    MS code to get the k5 ticket, thus not needing any additional kerberos
    code on the client or server. It has some problems.)     

> -chris
> 
> On Tuesday, July 29, 2003, at 01:26  PM, Douglas E. Engert wrote:
> 
> >
> >
> > Chris McClimans wrote:
> >>
> >> Is there a way to create an afs service principle and get the
> >> appropriate keytab files out of a Microsoft win2k KDC?
> >> I am not in administration for the remote KDC, and don't have a
> >> user/admin principle on the MS KDC.
> >
> > Technically if you don't have admin rights on the KDC you can never
> > get the key. Thats the point of the key being the shared secret
> > between the KDC and the server. The admin of the KDC needs to
> > get involved to get you the secret as the representive of the service.
> >
> > See the MS ktpass command, which can produce a keytab, and is used by
> > the
> > admin to set the service principal mapping. I think you can run it
> > locally.
> >
> >
> >>
> >> For example:
> >>
> >> mccliman@oak:~$ /usr/sbin/kadmin -r TTU.EDU -p username@TTU.EDU
> >> Authenticating as principal username@TTU.EDU with password.
> >> Enter password:
> >> kadmin: Databasetd: recv suboption NAWS 0 100 (100) 0 53 (53)e
> >> initializing kadmin interface
> >>
> >> What other methods do I have to work with to get a working
> >> afs/my.cell.edu@WINDOWS.REALM.
> >> Is there a way to generate a keytab/afskey based on the known password
> >> in the KDC for that principle?
> >> -chris
> >>
> >> On Friday, July 25, 2003, at 11:57  PM, Derek Atkins wrote:
> >>
> >>> Chris McClimans <Chris.McClimans@ttu.edu> writes:
> >>>
> >>>> Does this mean that the pts entry would be username for the
> >>>> principal
> >>>> username@REMOTE.REALM and I could pts createuser username -id 12345?
> >>>> -chris
> >>>
> >>> Asuming you make "REMOTE.REALM" the kerberos realm for your cell, and
> >>> obtain a key, afs/your.cell@REMOTE.REALM...  For a user with a
> >>> kerberos principal of username@REMOTE.REALM you would give them a pts
> >>> name of "username" and you can assign them an id of whatever you
> >>> want.
> >>>
> >>> e.g.:
> >>>
> >>> klist
> >>> ...
> >>> Default principal: warlord@ATHENA.MIT.EDU
> >>> ...
> >>> 07/26/03 00:39:12  07/26/03 10:39:12
> >>> afs.athena.mit.edu@ATHENA.MIT.EDU
> >>> 07/26/03 00:39:12  07/26/03 10:39:12  afs.sipb.mit.edu@ATHENA.MIT.EDU
> >>> ...
> >>>
> >>> tokens
> >>> User's (AFS ID 9661) tokens for afs@sipb.mit.edu [Expires Jul 26
> >>> 10:39]
> >>> User's (AFS ID 9661) tokens for afs@athena.mit.edu [Expires Jul 26
> >>> 10:39]
> >>> ...
> >>> --> pts exa 9661 -c sipb
> >>> Name: warlord, id: 9661, owner: system:administrators, creator: ...
> >>>
> >>> -derek
> >>>
> >>> --
> >>>        Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory
> >>>        Member, MIT Student Information Processing Board  (SIPB)
> >>>        URL: http://web.mit.edu/warlord/    PP-ASEL-IA     N1NWH
> >>>        warlord@MIT.EDU                        PGP key available
> >>
> >> _______________________________________________
> >> OpenAFS-info mailing list
> >> OpenAFS-info@openafs.org
> >> https://lists.openafs.org/mailman/listinfo/openafs-info
> >
> > --
> >
> >  Douglas E. Engert  <DEEngert@anl.gov>
> >  Argonne National Laboratory
> >  9700 South Cass Avenue
> >  Argonne, Illinois  60439
> >  (630) 252-5444

-- 

 Douglas E. Engert  <DEEngert@anl.gov>
 Argonne National Laboratory
 9700 South Cass Avenue
 Argonne, Illinois  60439 
 (630) 252-5444