[OpenAFS] Kerberos 5, AFS, and no krb524d
Derrick J Brashear
shadow@dementia.org
Tue, 10 Jun 2003 12:21:56 -0400 (EDT)
On Tue, 10 Jun 2003, Rodney M Dyer wrote:
> > > So if I've setup my AD domain to trust a MIT Kerberos realms TGT, then I
> > > could just request my AFS service principle ticket from my AD server right?
> >
> >Define "trust". Same realm or different?
>
> Ah, caught me. In my case they would be different.
>
> DNS Domain: uncc.edu
> AFS Cell: UNCC.EDU
> Kerberos Realm: UNCC.EDU
> AD Domain: mosaic.uncc.edu
>
> We have our AD domain in a one-way trust with the Kerberos realm. So by
> your response, I couldn't create an AFS service principle on the AD domain
> such as...
Well, I don't know what you're trying to do, but...
> AD account "afs" which resolves to "afs@mosaic.uncc.edu", to which we would
> then add a kerberos name mapping of "afs@UNCC.EDU" and maybe
> "afs/UNCC.EDU@UNCC.EDU".
You could make it have the same key and key version number, and probably
pretend they're the same, but I'd have to think more about implications;
You'd ideally use something like Doug's krb524d and have it rewrite the
afs@mosaic token to be an afs@uncc token and return it to the client;
here, you'd need a krb524d because you'd be decrypting and re-encrypting
the key.
> My thinking is...I need to get really deep on this one.
Probably.