[OpenAFS] kaserver -> Heimdal where cell name != REALM and using Windows (krb4) AFS client

Daniel Joseph Barnhart Clark dclark@pobox.com
Tue, 08 Jun 2004 07:45:22 -0400


FYI it looks like this is possible with MIT Kerberos + Ken's
monster-patch --with-krb524-remapping option, and I've queried the
Heimdal list to see if this is possible with straight Heimdal [1]. The
only other reference I found in my second round of searching that looks
somewhat related to this problem was from the krbdev list [2]. Worst-case
I guess I could change my cell name [3].

[1] [heimdal-discuss] Remapping old Kerberos 4 realm name to 
                      new Kerberos 5 realm name
http://www.stacken.kth.se/lists/heimdal-discuss/2004-06/msg00047.html 

[2] [krbdev] Porting Heimdal's libkafs to MIT Kerberos
http://mailman.mit.edu/pipermail/krbdev/2004-January/002148.html

[3] AFS Administrative Procedures - Changing Your Cell Name
http://www.rz.uni-hohenheim.de/netzwerkbetriebssysteme/afs36/debug/admin/cellname.html

On Mon, 07 Jun 2004 14:28:02 -0400, "Daniel Joseph Barnhart Clark"
<dclark@pobox.com> said:
> I'm trying to migrate to Heimdal Kerberos 0.6.2 from AFS kaserver. The
> Heimdal servers are on separate machines from the AFS servers, and the
> Kerberos 5 realm name is different from the AFS cell name. My goal is
> that no immediate client-side changes be required due to the change in
> Kerberos servers (at least on Windows, on Unix there's cfengine :-)
> 
> At the moment I'm trying to get this to work with the Windows AFS client
> (krb4). To simplify testing at this point I'm not using krb-forwarder,
> instead I just changed my Windows client to point to the Heimdal master
> KDC as the only database server. 
> 
> In the below files the AFS cell name is old.domain.com and the new
> Kerberos 5 realm name is NEW.DOMAIN.COM. The problem is that I can't
> figure out how to get Heimdal to force the OLD.DOMAIN.COM v4 REALM that
> the Windows AFS client uses to NEW.DOMAIN.COM before doing the
> authentication. I have verified that when I create a "fake" AFS cell
> new.domain.com on the Windows client everything seems to work from the
> perspective of the KDC logs, so the conversion does look like it's the
> problem.
> 
> Anyone know how to fix this (ugly hacks gratefully accepted :-)?
> 
> --------------------------------
> Relevant lines from the log file
> --------------------------------
> 
> 2004-06-07T12:49:29 AS-REQ (krb4) dclark.@OLD.DOMAIN.COM from
> IPv4:69.90.152.149 for afs.@NEW.DOMAIN.COM
> 2004-06-07T12:49:29 Lookup dclark@OLD.DOMAIN.COM failed: No such entry in
> the database
> 2004-06-07T12:49:29 Client not found in database: dclark.@OLD.DOMAIN.COM:
> Failed to convert v4 principal
> 2004-06-07T12:49:29 sending 42 bytes to IPv4:69.90.152.149
> 
> --------------------------------------------
> These are the principals that are in the kdc
> --------------------------------------------
> 
> kadmin> list afs*
>   afs@NEW.DOMAIN.COM
> kadmin> list dclark*
>   dclark@NEW.DOMAIN.COM
>   dclark/admin@NEW.DOMAIN.COM
> 
> -------------------------
> Here is my /etc/krb5.conf
> -------------------------
> 
> [libdefaults]
>         default_realm = NEW.DOMAIN.COM
>         clockskew = 5 minutes
>         v4_instance_resolve = false
>         kdc_timeout = 3 seconds
>         ticket_lifetime = 30 hours
>         forwardable = true
> 
> [domain_realm]
>         .domain.com = NEW.DOMAIN.COM
>         domain.com = NEW.DOMAIN.COM
>         .new.domain.com = NEW.DOMAIN.COM
>         new.domain.com = NEW.DOMAIN.COM
> 
> [realms]
> NEW.DOMAIN.COM = {
>         kdc = kdc1.domain.com
>         kdc = kdc2.domain.com
>         kdc = kdc3.domain.com
>         admin_server = kdc1.domain.com
>         default_domain = new.domain.com
>         v4_domains = domain.com new.domain.com
> }
> 
> [logging]
>         kdc = FILE:/var/log/krb5kdc.log
>         admin_server = FILE:/var/log/kadmin.log
>         default = FILE:/var/log/krb5lib.log
> 
> [kdc]
>         require-preauth = false
>         enable-kerberos4 = true
>         afs-cell = old.domain.com
>         v4-realm = NEW.DOMAIN.COM
>         enable-kaserver = true
>         enable-524 = true
>         kdc_warn_pwexpire = 14 days
> 
> [kadmin]
>         default_keys = v4 v5 des:afs3-salt:old.domain.com
>         password_lifetime = 90 days
> 
> ----------------------------------------
> Here is my /var/lib/heimdal-kdc/kdc.conf
> ----------------------------------------
> 
> [kdc]
> logging = FILE:/var/log/heimdal-kdc.log
> require-preauth = no
> 
> [kdcdefaults]
> kdc_ports = 88,750
> 
> [realms]
> NEW.DOMAIN.COM = {
>   database_name = /var/lib/heimdal-kdc/heimdal
>   admin_keytab = /var/lib/heimdal-kdc/kadmind.keytab
>   acl_file = /var/lib/heimdal-kdc/kadmind.acl
>   dict_file = /var/lib/heimdal-kdc/kadmind.dict
>   key_stash_file = /var/lib/heimdal-kdc/m-key
>   kadmind_port = 749
>   max_life = 30h 0m 0s
>   max_renewable_life = 21d 0h 0m 0s
>   }
                    
-- 
Daniel Joseph Barnhart Clark
http://www.pobox.com/users/dclark