[OpenAFS] Kerberos 5, AFS, and no krb524d

Douglas E. Engert deengert@anl.gov
Tue, 10 Jun 2003 11:46:24 -0500 

Derek Atkins wrote:
> 
> "Douglas E. Engert" <deengert@anl.gov> writes:
> 

> 
> > I see now why we never had this problem. The modified krb524d and gssklogd would
> > change the principal names in the returned ticket so that the principal appeared
> > to be a local K4 principal for the realm=cell. i.e. even if I was using a K5
> > principal of dengert@KRB5.ANL.GOV the AFS token would have dengert@anl.gov
> 
> Yea, this would explain why you didn't see the problem.
> 
> > So what are the implications of an AFS cell accepting tokens from multiple
> > realms? You could use cross realm support, or if you did something like we did,
> > map the principals to AFS users in the cell.
> 
> This is what the old Athena "Realms" file hack did..  The problem was
> that "warlord@ATHENA.MIT.EDU" and "warlord@MEDIA-LAB.MIT.EDU" would
> both map to the same AFS user.. 

We use something based on the Umich's uniqname, for all the trusted realms, 
so this is not a problem for us.  

> So you had to trust both realms.
> Also, ISTR that both realms had to have the same afs/<cell>@realm key
> and kvno...

Actualy the /usr/afs/etc/KeyFile could have multiple keys and kvnos so
they could have different keys, if the kvno does not match. We use this
trict too.



> 
> -derek
> 
> > Nicholas Henke wrote:
> > >
> > > On Mon, 2003-06-09 at 23:20, Derrick J Brashear wrote:
> > > > On Mon, 9 Jun 2003, Derek Atkins wrote:
> > > >
> > > > > This does seem to imply that your cell does not consider UPENN.EDU to
> > > > > be the "local" authentication realm.  I don't know how/why this is the
> > > > > case (having not done it myself).
> > > >
> > > > Well, what the heck is the "Realms" file you (someone?) suggested...
> > > >
> > > > if ((cnffile = fopen(AFSDIR_SERVER_KCONF_FILEPATH, "r")) == NULL) {
> > > >         return(KFAILURE);
> > > >     }
> > > >
> > > > should be /usr/afs/etc/krb.conf
> > > >
> > > > e.g.
> > > >
> > > > UPENN.EDU
> > > >
> > >
> > > Brilliant -- It works!!!
> > >
> > > Woot! There will defineately be a web page put up to describe krb5 +
> > > openafs + cell name != realm.
> > >
> > > Thanks again to everyone ( Derrik, Derek, Doug especially ) for all of
> > > the help on this strange issue.
> > >
> > > Nic
> > > --
> > > Nicholas Henke
> > > Penguin Herder & Linux Cluster System Programmer
> > > Liniac Project - Univ. of Pennsylvania
> > >
> > > _______________________________________________
> > > OpenAFS-info mailing list
> > > OpenAFS-info@openafs.org
> > > https://lists.openafs.org/mailman/listinfo/openafs-info
> >
> > --
> >
> >  Douglas E. Engert  <DEEngert@anl.gov>
> >  Argonne National Laboratory
> >  9700 South Cass Avenue
> >  Argonne, Illinois  60439
> >  (630) 252-5444
> > _______________________________________________
> > OpenAFS-info mailing list
> > OpenAFS-info@openafs.org
> > https://lists.openafs.org/mailman/listinfo/openafs-info
> 
> --
>        Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory
>        Member, MIT Student Information Processing Board  (SIPB)
>        URL: http://web.mit.edu/warlord/    PP-ASEL-IA     N1NWH
>        warlord@MIT.EDU                        PGP key available

-- 

 Douglas E. Engert  <DEEngert@anl.gov>
 Argonne National Laboratory
 9700 South Cass Avenue
 Argonne, Illinois  60439 
 (630) 252-5444