[OpenAFS] Kerberos 5, AFS, and no krb524d

Douglas E. Engert deengert@anl.gov
Tue, 10 Jun 2003 08:49:14 -0500 

Great to hear you finally have it working. 

But afs_krb_get_lrealm in src/util/get_krbrlm.c will only read the first line
of the file, thus the cell can only be the member of a single realm.
This also implies that all principals in that realm map to AFS users.

I see now why we never had this problem. The modified krb524d and gssklogd would 
change the principal names in the returned ticket so that the principal appeared 
to be a local K4 principal for the realm=cell. i.e. even if I was using a K5 
principal of dengert@KRB5.ANL.GOV the AFS token would have dengert@anl.gov 

So what are the implications of an AFS cell accepting tokens from multiple 
realms? You could use cross realm support, or if you did something like we did,
map the principals to AFS users in the cell.  


Nicholas Henke wrote:
> 
> On Mon, 2003-06-09 at 23:20, Derrick J Brashear wrote:
> > On Mon, 9 Jun 2003, Derek Atkins wrote:
> >
> > > This does seem to imply that your cell does not consider UPENN.EDU to
> > > be the "local" authentication realm.  I don't know how/why this is the
> > > case (having not done it myself).
> >
> > Well, what the heck is the "Realms" file you (someone?) suggested...
> >
> > if ((cnffile = fopen(AFSDIR_SERVER_KCONF_FILEPATH, "r")) == NULL) {
> >         return(KFAILURE);
> >     }
> >
> > should be /usr/afs/etc/krb.conf
> >
> > e.g.
> >
> > UPENN.EDU
> >
> 
> Brilliant -- It works!!!
> 
> Woot! There will defineately be a web page put up to describe krb5 +
> openafs + cell name != realm.
> 
> Thanks again to everyone ( Derrik, Derek, Doug especially ) for all of
> the help on this strange issue.
> 
> Nic
> --
> Nicholas Henke
> Penguin Herder & Linux Cluster System Programmer
> Liniac Project - Univ. of Pennsylvania
> 
> _______________________________________________
> OpenAFS-info mailing list
> OpenAFS-info@openafs.org
> https://lists.openafs.org/mailman/listinfo/openafs-info

-- 

 Douglas E. Engert  <DEEngert@anl.gov>
 Argonne National Laboratory
 9700 South Cass Avenue
 Argonne, Illinois  60439 
 (630) 252-5444