[OpenAFS] gssklogd access from windows
Chris McClimans
openafs-info@mcclimans.net
Thu, 4 Sep 2003 23:17:46 -0500
I'm trying to get the keytabs generated, but apparently there are some
technical hurdles when you only administer an ou within the AD and
aren't a root admin. Something about kerberos principal keytab
generation fails. Hopefully I can get the root AD admins to generate my
gssklog/fqdns@TTU.EDU tomorrow.
If anyone cares, I can post the details of my attempts to generate
keytabs as a lowly OU admin in MS AD.
When gssklog connects to gssklogd (and tries to get
gssklog@oak.cs.ttu.edu) the only way to contact the kdc for the
CS.TTU.EDU realm is to have it configured in DNS or the krb5.conf
equivalent. The equivalent doesn't seem to exist anywhere within the
microsoft implementation as far as I can tell.
The entry actually exists in the AD as a cross-realm trust, but I
wonder if the gssapi implementation uses it as a referral if you passed
the realm in via SSPI?
-chris
On Thursday, September 4, 2003, at 02:27 PM, Douglas E. Engert wrote:
>
> There are two ways to solve this.
>
> o The SSPI can actually allow the client to specify the realm,
> using some mapping of its own. host@realm would be passed in
> I don't have this in the gssklog, but could add one, for example
> if the initial attempt failed, try the domain name as the realm, or
> use DNS etc.
>
> o Add a gssklog/elm.cs.ttu.edu@TTU.EDU to the client's KDC.
> and have the gssklogd accept either. (This is what we do,
> but it takes a mod to the server's gssapi lib to aceppt either.
>
> I will look into the mapping.
>