[OpenAFS] When Using Kerberos5 is klog necessary?

Christopher D. Clausen cclausen@uiuc.edu
Thu, 22 Jan 2004 19:09:18 -0600


Chris McClimans <openafs-info@mcclimans.net> wrote:
> It's kinda backwards here.
> CS.TTU.EDU is my MIT Kerberos Realm and it trusts TTU.EDU which is the
> MS Active Directory Domain.
> CS.TTU.EDU is a service principal domain, no user accounts.
> I was looking into putting my service principal into the TTU.EDU AD.
> I've put in a request to get a keytab generated, but I'd rather keep
> control of my own realm and service principals if possible. Waiting on
> another organization to generate keytabs is a pain sometimes.
> -chri

Hmm...  You might have to manually set the [capaths] sections in the MIT
Kerberos config file to make REALM trusts work.  Here is mine (with
non-relevant things removed):

AD.UIUC.EDU is the Campus Active Directory domain
ACM.UIUC.EDU is ACM's MIT Kerberos realm.

[libdefaults]
        default_realm = ACM.UIUC.EDU
[capaths]
        AD.UIUC.EDU = {
                ACM.UIUC.EDU = .
        }

The full config file is at: file:///afs/acm.uiuc.edu/admin/etc/krb5.conf

-------------

We also have service principals for gssklog in our Active Directory, so
users can use either their Active Directory or ACM Kerberos credentials
to obtain AFS tokens.

This is what that looks like:
(msklist is Microsoft's utility, renamed, available from:
http://www.microsoft.com/windows2000/techinfo/reskit/tools/existing/klist-o.asp )


cclausen@KBS-CDC C:\>kdestroy

cclausen@KBS-CDC C:\>klist
klist: No credentials cache found (ticket cache API:cclausen.krb5cc)

Kerberos 4 ticket cache: API:krb4cc
klist: No ticket file (tf_util)
cclausen@KBS-CDC C:\>msklist
Usage: msklist <tickets | tgt | purge>
cclausen@KBS-CDC C:\>msklist tgt

Cached TGT:
ServiceName: krbtgt
TargetName: krbtgt
FullServiceName: cclausen
DomainName: AD.UIUC.EDU
TargetDomainName: AD.UIUC.EDU
AltTargetDomainName: AD.UIUC.EDU
TicketFlags: 0x40e00000
KeyExpirationTime: 256/0/29920 0:103:8048
StartTime: 1/22/2004 18:45:51
EndTime: 1/23/2004 4:45:51
RenewUntil: 1/29/2004 18:45:51
TimeSkew: 1/29/2004 18:45:51

cclausen@KBS-CDC C:\>unlog
cclausen@KBS-CDC C:\>tokens
Tokens held by the Cache Manager:
   --End of list --
cclausen@KBS-CDC C:\>klist
klist: No credentials cache found (ticket cache API:cclausen.krb5cc)

Kerberos 4 ticket cache: API:krb4cc
klist: No ticket file (tf_util)
cclausen@KBS-CDC C:\>gssklog -ms
cclausen@KBS-CDC C:\>tokens
Tokens held by the Cache Manager:
User cclausen's tokens for afs@acm.uiuc.edu [Expires Jan 23 04:45]
   --End of list --
cclausen@KBS-CDC C:\>msklist tickets
Cached Tickets: (3)
   Server: krbtgt/AD.UIUC.EDU@AD.UIUC.EDU
      KerbTicket Encryption Type: RSADSI RC4-HMAC(NT)
      End Time: 1/23/2004 4:45:51
      Renew Time: 1/29/2004 18:45:51

   Server: gssklog/mintaka.acm.uiuc.edu@AD.UIUC.EDU
      KerbTicket Encryption Type: Kerberos DES-CBC-MD5
      End Time: 1/23/2004 4:45:51
      Renew Time: 1/29/2004 18:45:51

   Server: host/kbs-cdc.ad.uiuc.edu@AD.UIUC.EDU
      KerbTicket Encryption Type: RSADSI RC4-HMAC(NT)
      End Time: 1/23/2004 4:45:51
      Renew Time: 1/29/2004 18:45:51
cclausen@KBS-CDC C:\>klist
klist: No credentials cache found (ticket cache API:cclausen.krb5cc)
Kerberos 4 ticket cache: API:krb4cc
klist: No ticket file (tf_util)

<<CDC
Christopher D. Clausen
ACM@UIUC SysAdmin