[OpenAFS] Kerberos 5, AFS, and no krb524d

Derrick J Brashear shadow@dementia.org
Tue, 10 Jun 2003 12:21:56 -0400 (EDT)


On Tue, 10 Jun 2003, Rodney M Dyer wrote:

> > > So if I've setup my AD domain to trust a MIT Kerberos realms TGT, then I
> > > could just request my AFS service principle ticket from my AD server right?
> >
> >Define "trust". Same realm or different?
>
> Ah, caught me.  In my case they would be different.
>
> DNS Domain:  uncc.edu
> AFS Cell:  UNCC.EDU
> Kerberos Realm:  UNCC.EDU
> AD Domain:  mosaic.uncc.edu
>
> We have our AD domain in a one-way trust with the Kerberos realm.  So by
> your response, I couldn't create an AFS service principle on the AD domain
> such as...

Well, I don't know what you're trying to do, but...

> AD account "afs" which resolves to "afs@mosaic.uncc.edu", to which we would
> then add a kerberos name mapping of "afs@UNCC.EDU" and maybe
> "afs/UNCC.EDU@UNCC.EDU".

You could make it have the same key and key version number, and probably
pretend they're the same, but I'd have to think more about implications;

You'd ideally use something like Doug's krb524d and have it rewrite the
afs@mosaic token to be an afs@uncc token and return it to the client;
here, you'd need a krb524d because you'd be decrypting and re-encrypting
the key.

> My thinking is...I need to get really deep on this one.

Probably.