[OpenAFS] kaserver -> Heimdal where cell name != REALM and using Windows (krb4) AFS client
Daniel Joseph Barnhart Clark
dclark@pobox.com
Mon, 07 Jun 2004 14:28:02 -0400
I'm trying to migrate to Heimdal Kerberos 0.6.2 from AFS kaserver. The
Heimdal servers are on separate machines from the AFS servers, and the
Kerberos 5 realm name is different from the AFS cell name. My goal is
that no immediate client-side changes be required due to the change in
Kerberos servers (at least on Windows, on Unix there's cfengine :-)
At the moment I'm trying to get this to work with the Windows AFS client
(krb4). To simplify testing at this point I'm not using krb-forwarder,
instead I just changed my Windows client to point to the Heimdal master
KDC as the only database server.
In the below files the AFS cell name is old.domain.com and the new
Kerberos 5 realm name is NEW.DOMAIN.COM. The problem is that I can't
figure out how to get Heimdal to force the OLD.DOMAIN.COM v4 REALM that
the Windows AFS client uses to NEW.DOMAIN.COM before doing the
authentication. I have verified that when I create a "fake" AFS cell
new.domain.com on the Windows client everything seems to work from the
perspective of the KDC logs, so the conversion does look like it's the
problem.
Anyone know how to fix this (ugly hacks gratefully accepted :-)?
--------------------------------
Relevant lines from the log file
--------------------------------
2004-06-07T12:49:29 AS-REQ (krb4) dclark.@OLD.DOMAIN.COM from
IPv4:69.90.152.149 for afs.@NEW.DOMAIN.COM
2004-06-07T12:49:29 Lookup dclark@OLD.DOMAIN.COM failed: No such entry in
the database
2004-06-07T12:49:29 Client not found in database: dclark.@OLD.DOMAIN.COM:
Failed to convert v4 principal
2004-06-07T12:49:29 sending 42 bytes to IPv4:69.90.152.149
--------------------------------------------
These are the principals that are in the kdc
--------------------------------------------
kadmin> list afs*
afs@NEW.DOMAIN.COM
kadmin> list dclark*
dclark@NEW.DOMAIN.COM
dclark/admin@NEW.DOMAIN.COM
-------------------------
Here is my /etc/krb5.conf
-------------------------
[libdefaults]
default_realm = NEW.DOMAIN.COM
clockskew = 5 minutes
v4_instance_resolve = false
kdc_timeout = 3 seconds
ticket_lifetime = 30 hours
forwardable = true
[domain_realm]
.domain.com = NEW.DOMAIN.COM
domain.com = NEW.DOMAIN.COM
.new.domain.com = NEW.DOMAIN.COM
new.domain.com = NEW.DOMAIN.COM
[realms]
NEW.DOMAIN.COM = {
kdc = kdc1.domain.com
kdc = kdc2.domain.com
kdc = kdc3.domain.com
admin_server = kdc1.domain.com
default_domain = new.domain.com
v4_domains = domain.com new.domain.com
}
[logging]
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmin.log
default = FILE:/var/log/krb5lib.log
[kdc]
require-preauth = false
enable-kerberos4 = true
afs-cell = old.domain.com
v4-realm = NEW.DOMAIN.COM
enable-kaserver = true
enable-524 = true
kdc_warn_pwexpire = 14 days
[kadmin]
default_keys = v4 v5 des:afs3-salt:old.domain.com
password_lifetime = 90 days
----------------------------------------
Here is my /var/lib/heimdal-kdc/kdc.conf
----------------------------------------
[kdc]
logging = FILE:/var/log/heimdal-kdc.log
require-preauth = no
[kdcdefaults]
kdc_ports = 88,750
[realms]
NEW.DOMAIN.COM = {
database_name = /var/lib/heimdal-kdc/heimdal
admin_keytab = /var/lib/heimdal-kdc/kadmind.keytab
acl_file = /var/lib/heimdal-kdc/kadmind.acl
dict_file = /var/lib/heimdal-kdc/kadmind.dict
key_stash_file = /var/lib/heimdal-kdc/m-key
kadmind_port = 749
max_life = 30h 0m 0s
max_renewable_life = 21d 0h 0m 0s
}
Thanks,
--
Daniel Joseph Barnhart Clark
http://www.pobox.com/users/dclark