[OpenAFS] gssklogd access from windows

Douglas E. Engert deengert@anl.gov
Fri, 05 Sep 2003 09:12:56 -0500 

Chris McClimans wrote:
> 
> I'm trying to get the keytabs generated, but apparently there are some
> technical hurdles when you only administer an ou within the AD and
> aren't a root admin. Something about kerberos principal keytab
> generation fails. Hopefully I can get the root AD admins to generate my
> gssklog/fqdns@TTU.EDU tomorrow.
> If anyone cares, I can post the details of my attempts to generate
> keytabs as a lowly OU admin in MS AD.
> 
> When gssklog connects to gssklogd (and tries to get
> gssklog@oak.cs.ttu.edu) the only way to contact the kdc for the
> CS.TTU.EDU realm is to have it configured in DNS or the krb5.conf
> equivalent. The equivalent doesn't seem to exist anywhere within the
> microsoft implementation as far as I can tell.
> The entry actually exists in the AD as a cross-realm trust, but I
> wonder if the gssapi implementation uses it as a referral if you passed
> the realm in via SSPI?

Yes it should. To test this, in gssklog.c  after the line:

     strcat(service_princ_name,server);
add 
     strcat(service_princ_name,"@CS.TTU.EDU");

then after the line: 

     strcat(service_princ_name,cellconfig.hostName[i]);
add 
     strcat(service_princ_name,"@CS.TTU.EDU");

This is only a test (the siz of the string service_princ_name should also be increased)
and will only work for the SSPI. 
I will also look at a substitute way to specify the realm of the cell. 



> 
> -chris
> 
> On Thursday, September 4, 2003, at 02:27  PM, Douglas E. Engert wrote:
> >
> > There are two ways to solve this.
> >
> >  o The SSPI can actually allow the client to specify the realm,
> >    using some mapping of its own.  host@realm would be passed in
> >    I don't have this in the gssklog, but could add one, for example
> >    if the initial attempt failed, try the domain name as the realm, or
> > use DNS etc.
> >
> >  o Add a gssklog/elm.cs.ttu.edu@TTU.EDU to the client's KDC.
> >    and have the gssklogd accept either. (This is what we do,
> >    but it takes a mod to the server's gssapi lib to aceppt either.
> >
> > I will look into the mapping.
> >
> 
> _______________________________________________
> OpenAFS-info mailing list
> OpenAFS-info@openafs.org
> https://lists.openafs.org/mailman/listinfo/openafs-info

-- 

 Douglas E. Engert  <DEEngert@anl.gov>
 Argonne National Laboratory
 9700 South Cass Avenue
 Argonne, Illinois  60439 
 (630) 252-5444