[OpenAFS] kaserver -> Heimdal where cell name != REALM and using Windows (krb4) AFS client

Daniel Joseph Barnhart Clark dclark@pobox.com
Mon, 07 Jun 2004 14:28:02 -0400


I'm trying to migrate to Heimdal Kerberos 0.6.2 from AFS kaserver. The
Heimdal servers are on separate machines from the AFS servers, and the
Kerberos 5 realm name is different from the AFS cell name. My goal is
that no immediate client-side changes be required due to the change in
Kerberos servers (at least on Windows, on Unix there's cfengine :-)

At the moment I'm trying to get this to work with the Windows AFS client
(krb4). To simplify testing at this point I'm not using krb-forwarder,
instead I just changed my Windows client to point to the Heimdal master
KDC as the only database server. 

In the below files the AFS cell name is old.domain.com and the new
Kerberos 5 realm name is NEW.DOMAIN.COM. The problem is that I can't
figure out how to get Heimdal to force the OLD.DOMAIN.COM v4 REALM that
the Windows AFS client uses to NEW.DOMAIN.COM before doing the
authentication. I have verified that when I create a "fake" AFS cell
new.domain.com on the Windows client everything seems to work from the
perspective of the KDC logs, so the conversion does look like it's the
problem.

Anyone know how to fix this (ugly hacks gratefully accepted :-)?

--------------------------------
Relevant lines from the log file
--------------------------------

2004-06-07T12:49:29 AS-REQ (krb4) dclark.@OLD.DOMAIN.COM from
IPv4:69.90.152.149 for afs.@NEW.DOMAIN.COM
2004-06-07T12:49:29 Lookup dclark@OLD.DOMAIN.COM failed: No such entry in
the database
2004-06-07T12:49:29 Client not found in database: dclark.@OLD.DOMAIN.COM:
Failed to convert v4 principal
2004-06-07T12:49:29 sending 42 bytes to IPv4:69.90.152.149

--------------------------------------------
These are the principals that are in the kdc
--------------------------------------------

kadmin> list afs*
  afs@NEW.DOMAIN.COM
kadmin> list dclark*
  dclark@NEW.DOMAIN.COM
  dclark/admin@NEW.DOMAIN.COM

-------------------------
Here is my /etc/krb5.conf
-------------------------

[libdefaults]
        default_realm = NEW.DOMAIN.COM
        clockskew = 5 minutes
        v4_instance_resolve = false
        kdc_timeout = 3 seconds
        ticket_lifetime = 30 hours
        forwardable = true

[domain_realm]
        .domain.com = NEW.DOMAIN.COM
        domain.com = NEW.DOMAIN.COM
        .new.domain.com = NEW.DOMAIN.COM
        new.domain.com = NEW.DOMAIN.COM

[realms]
NEW.DOMAIN.COM = {
        kdc = kdc1.domain.com
        kdc = kdc2.domain.com
        kdc = kdc3.domain.com
        admin_server = kdc1.domain.com
        default_domain = new.domain.com
        v4_domains = domain.com new.domain.com
}

[logging]
        kdc = FILE:/var/log/krb5kdc.log
        admin_server = FILE:/var/log/kadmin.log
        default = FILE:/var/log/krb5lib.log

[kdc]
        require-preauth = false
        enable-kerberos4 = true
        afs-cell = old.domain.com
        v4-realm = NEW.DOMAIN.COM
        enable-kaserver = true
        enable-524 = true
        kdc_warn_pwexpire = 14 days

[kadmin]
        default_keys = v4 v5 des:afs3-salt:old.domain.com
        password_lifetime = 90 days

----------------------------------------
Here is my /var/lib/heimdal-kdc/kdc.conf
----------------------------------------

[kdc]
logging = FILE:/var/log/heimdal-kdc.log
require-preauth = no

[kdcdefaults]
kdc_ports = 88,750

[realms]
NEW.DOMAIN.COM = {
  database_name = /var/lib/heimdal-kdc/heimdal
  admin_keytab = /var/lib/heimdal-kdc/kadmind.keytab
  acl_file = /var/lib/heimdal-kdc/kadmind.acl
  dict_file = /var/lib/heimdal-kdc/kadmind.dict
  key_stash_file = /var/lib/heimdal-kdc/m-key
  kadmind_port = 749
  max_life = 30h 0m 0s
  max_renewable_life = 21d 0h 0m 0s
  }

Thanks,
                    
-- 
Daniel Joseph Barnhart Clark
http://www.pobox.com/users/dclark