[OpenAFS] gssklogd access from windows

Chris McClimans openafs-info@mcclimans.net
Thu, 4 Sep 2003 23:17:46 -0500

I'm trying to get the keytabs generated, but apparently there are some 
technical hurdles when you only administer an ou within the AD and 
aren't a root admin. Something about kerberos principal keytab 
generation fails. Hopefully I can get the root AD admins to generate my 
gssklog/fqdns@TTU.EDU tomorrow.
If anyone cares, I can post the details of my attempts to generate 
keytabs as a lowly OU admin in MS AD.

When gssklog connects to gssklogd (and tries to get 
gssklog@oak.cs.ttu.edu) the only way to contact the kdc for the 
CS.TTU.EDU realm is to have it configured in DNS or the krb5.conf 
equivalent. The equivalent doesn't seem to exist anywhere within the 
microsoft implementation as far as I can tell.
The entry actually exists in the AD as a cross-realm trust, but I 
wonder if the gssapi implementation uses it as a referral if you passed 
the realm in via SSPI?


On Thursday, September 4, 2003, at 02:27  PM, Douglas E. Engert wrote:
> There are two ways to solve this.
>  o The SSPI can actually allow the client to specify the realm,
>    using some mapping of its own.  host@realm would be passed in
>    I don't have this in the gssklog, but could add one, for example
>    if the initial attempt failed, try the domain name as the realm, or 
> use DNS etc.
>  o Add a gssklog/elm.cs.ttu.edu@TTU.EDU to the client's KDC.
>    and have the gssklogd accept either. (This is what we do,
>    but it takes a mod to the server's gssapi lib to aceppt either.
> I will look into the mapping.