[OpenAFS] unsubscribe
Derek Atkins
warlord@MIT.EDU
06 Sep 2003 13:30:45 -0400
DUDE... Stop sending unsub messages to the list. WE CANT HELP YOU!
-derek
"Rogelio Bazan Reyes" <rogbazan@hotmail.com> writes:
> >From: "Douglas E. Engert" <deengert@anl.gov>
> >To: Chris McClimans <openafs-info@mcclimans.net>
> >CC: openafs-info@openafs.org
> >Subject: Re: [OpenAFS] gssklogd access from windows
> >Date: Fri, 05 Sep 2003 09:12:56 -0500
> >
> >
> >
> >Chris McClimans wrote:
> > >
> > > I'm trying to get the keytabs generated, but apparently there are some
> > > technical hurdles when you only administer an ou within the AD and
> > > aren't a root admin. Something about kerberos principal keytab
> > > generation fails. Hopefully I can get the root AD admins to generate my
> > > gssklog/fqdns@TTU.EDU tomorrow.
> > > If anyone cares, I can post the details of my attempts to generate
> > > keytabs as a lowly OU admin in MS AD.
> > >
> > > When gssklog connects to gssklogd (and tries to get
> > > gssklog@oak.cs.ttu.edu) the only way to contact the kdc for the
> > > CS.TTU.EDU realm is to have it configured in DNS or the krb5.conf
> > > equivalent. The equivalent doesn't seem to exist anywhere within the
> > > microsoft implementation as far as I can tell.
> > > The entry actually exists in the AD as a cross-realm trust, but I
> > > wonder if the gssapi implementation uses it as a referral if you passed
> > > the realm in via SSPI?
> >
> >Yes it should. To test this, in gssklog.c after the line:
> >
> > strcat(service_princ_name,server);
> >add
> > strcat(service_princ_name,"@CS.TTU.EDU");
> >
> >then after the line:
> >
> > strcat(service_princ_name,cellconfig.hostName[i]);
> >add
> > strcat(service_princ_name,"@CS.TTU.EDU");
> >
> > This is only a test (the siz of the string service_princ_name should
> > also be increased)
> >and will only work for the SSPI.
> >I will also look at a substitute way to specify the realm of the cell.
> >
> >
> >
> > >
> > > -chris
> > >
> > > On Thursday, September 4, 2003, at 02:27 PM, Douglas E. Engert wrote:
> > > >
> > > > There are two ways to solve this.
> > > >
> > > > o The SSPI can actually allow the client to specify the realm,
> > > > using some mapping of its own. host@realm would be passed in
> > > > I don't have this in the gssklog, but could add one, for example
> > > > if the initial attempt failed, try the domain name as the realm, or
> > > > use DNS etc.
> > > >
> > > > o Add a gssklog/elm.cs.ttu.edu@TTU.EDU to the client's KDC.
> > > > and have the gssklogd accept either. (This is what we do,
> > > > but it takes a mod to the server's gssapi lib to aceppt either.
> > > >
> > > > I will look into the mapping.
> > > >
> > >
> > > _______________________________________________
> > > OpenAFS-info mailing list
> > > OpenAFS-info@openafs.org
> > > https://lists.openafs.org/mailman/listinfo/openafs-info
> >
> >--
> >
> > Douglas E. Engert <DEEngert@anl.gov>
> > Argonne National Laboratory
> > 9700 South Cass Avenue
> > Argonne, Illinois 60439
> > (630) 252-5444
> >
> >_______________________________________________
> >OpenAFS-info mailing list
> >OpenAFS-info@openafs.org
> >https://lists.openafs.org/mailman/listinfo/openafs-info
>
> _________________________________________________________________
> The new MSN 8: advanced junk mail protection and 2 months FREE*
> http://join.msn.com/?page=features/junkmail
>
> _______________________________________________
> OpenAFS-info mailing list
> OpenAFS-info@openafs.org
> https://lists.openafs.org/mailman/listinfo/openafs-info
--
Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory
Member, MIT Student Information Processing Board (SIPB)
URL: http://web.mit.edu/warlord/ PP-ASEL-IA N1NWH
warlord@MIT.EDU PGP key available