[OpenAFS] unsubscribe
Rogelio Bazan Reyes
rogbazan@hotmail.com
Sat, 06 Sep 2003 16:41:59 +0000
>From: "Douglas E. Engert" <deengert@anl.gov>
>To: Chris McClimans <openafs-info@mcclimans.net>
>CC: openafs-info@openafs.org
>Subject: Re: [OpenAFS] gssklogd access from windows
>Date: Fri, 05 Sep 2003 09:12:56 -0500
>
>
>
>Chris McClimans wrote:
> >
> > I'm trying to get the keytabs generated, but apparently there are some
> > technical hurdles when you only administer an ou within the AD and
> > aren't a root admin. Something about kerberos principal keytab
> > generation fails. Hopefully I can get the root AD admins to generate my
> > gssklog/fqdns@TTU.EDU tomorrow.
> > If anyone cares, I can post the details of my attempts to generate
> > keytabs as a lowly OU admin in MS AD.
> >
> > When gssklog connects to gssklogd (and tries to get
> > gssklog@oak.cs.ttu.edu) the only way to contact the kdc for the
> > CS.TTU.EDU realm is to have it configured in DNS or the krb5.conf
> > equivalent. The equivalent doesn't seem to exist anywhere within the
> > microsoft implementation as far as I can tell.
> > The entry actually exists in the AD as a cross-realm trust, but I
> > wonder if the gssapi implementation uses it as a referral if you passed
> > the realm in via SSPI?
>
>Yes it should. To test this, in gssklog.c after the line:
>
> strcat(service_princ_name,server);
>add
> strcat(service_princ_name,"@CS.TTU.EDU");
>
>then after the line:
>
> strcat(service_princ_name,cellconfig.hostName[i]);
>add
> strcat(service_princ_name,"@CS.TTU.EDU");
>
>This is only a test (the siz of the string service_princ_name should also
>be increased)
>and will only work for the SSPI.
>I will also look at a substitute way to specify the realm of the cell.
>
>
>
> >
> > -chris
> >
> > On Thursday, September 4, 2003, at 02:27 PM, Douglas E. Engert wrote:
> > >
> > > There are two ways to solve this.
> > >
> > > o The SSPI can actually allow the client to specify the realm,
> > > using some mapping of its own. host@realm would be passed in
> > > I don't have this in the gssklog, but could add one, for example
> > > if the initial attempt failed, try the domain name as the realm, or
> > > use DNS etc.
> > >
> > > o Add a gssklog/elm.cs.ttu.edu@TTU.EDU to the client's KDC.
> > > and have the gssklogd accept either. (This is what we do,
> > > but it takes a mod to the server's gssapi lib to aceppt either.
> > >
> > > I will look into the mapping.
> > >
> >
> > _______________________________________________
> > OpenAFS-info mailing list
> > OpenAFS-info@openafs.org
> > https://lists.openafs.org/mailman/listinfo/openafs-info
>
>--
>
> Douglas E. Engert <DEEngert@anl.gov>
> Argonne National Laboratory
> 9700 South Cass Avenue
> Argonne, Illinois 60439
> (630) 252-5444
>
>_______________________________________________
>OpenAFS-info mailing list
>OpenAFS-info@openafs.org
>https://lists.openafs.org/mailman/listinfo/openafs-info
_________________________________________________________________
The new MSN 8: advanced junk mail protection and 2 months FREE*
http://join.msn.com/?page=features/junkmail