[OpenAFS] Kerberos 5, AFS, and no krb524d

Derek Atkins warlord@MIT.EDU
10 Jun 2003 10:28:57 -0400


"Douglas E. Engert" <deengert@anl.gov> writes:

> Great to hear you finally have it working. 
> 
> But afs_krb_get_lrealm in src/util/get_krbrlm.c will only read the first line
> of the file, thus the cell can only be the member of a single realm.
> This also implies that all principals in that realm map to AFS users.

Well, not necessarily.  It means that all principals in that realm
could map to local AFS users, if they exist in the pts database.  If
they don't exist in the pts database then they wont be a local user.

> I see now why we never had this problem. The modified krb524d and gssklogd would 
> change the principal names in the returned ticket so that the principal appeared 
> to be a local K4 principal for the realm=cell. i.e. even if I was using a K5 
> principal of dengert@KRB5.ANL.GOV the AFS token would have dengert@anl.gov 

Yea, this would explain why you didn't see the problem.

> So what are the implications of an AFS cell accepting tokens from multiple 
> realms? You could use cross realm support, or if you did something like we did,
> map the principals to AFS users in the cell.  

This is what the old Athena "Realms" file hack did..  The problem was
that "warlord@ATHENA.MIT.EDU" and "warlord@MEDIA-LAB.MIT.EDU" would
both map to the same AFS user..  So you had to trust both realms.
Also, ISTR that both realms had to have the same afs/<cell>@realm key
and kvno...

-derek

> Nicholas Henke wrote:
> > 
> > On Mon, 2003-06-09 at 23:20, Derrick J Brashear wrote:
> > > On Mon, 9 Jun 2003, Derek Atkins wrote:
> > >
> > > > This does seem to imply that your cell does not consider UPENN.EDU to
> > > > be the "local" authentication realm.  I don't know how/why this is the
> > > > case (having not done it myself).
> > >
> > > Well, what the heck is the "Realms" file you (someone?) suggested...
> > >
> > > if ((cnffile = fopen(AFSDIR_SERVER_KCONF_FILEPATH, "r")) == NULL) {
> > >         return(KFAILURE);
> > >     }
> > >
> > > should be /usr/afs/etc/krb.conf
> > >
> > > e.g.
> > >
> > > UPENN.EDU
> > >
> > 
> > Brilliant -- It works!!!
> > 
> > Woot! There will defineately be a web page put up to describe krb5 +
> > openafs + cell name != realm.
> > 
> > Thanks again to everyone ( Derrik, Derek, Doug especially ) for all of
> > the help on this strange issue.
> > 
> > Nic
> > --
> > Nicholas Henke
> > Penguin Herder & Linux Cluster System Programmer
> > Liniac Project - Univ. of Pennsylvania
> > 
> > _______________________________________________
> > OpenAFS-info mailing list
> > OpenAFS-info@openafs.org
> > https://lists.openafs.org/mailman/listinfo/openafs-info
> 
> -- 
> 
>  Douglas E. Engert  <DEEngert@anl.gov>
>  Argonne National Laboratory
>  9700 South Cass Avenue
>  Argonne, Illinois  60439 
>  (630) 252-5444
> _______________________________________________
> OpenAFS-info mailing list
> OpenAFS-info@openafs.org
> https://lists.openafs.org/mailman/listinfo/openafs-info

-- 
       Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory
       Member, MIT Student Information Processing Board  (SIPB)
       URL: http://web.mit.edu/warlord/    PP-ASEL-IA     N1NWH
       warlord@MIT.EDU                        PGP key available