[OpenAFS] Cross Realm Kerberos+AFS

Derek Atkins warlord@MIT.EDU
Tue, 18 May 2004 15:39:04 -0400


Huh?  Since when do you need a capaths to accept directly-shared cross
realm keys?

-derek

Jeffrey Altman <jaltman@columbia.edu> writes:

> If you are using an MIT KDC then you need to add a [capaths] section to your KDC's
> krb5.conf and restart the KDC.
>
> The cross-realm trust path is not being accepted by the KDC.
>
> Jeffrey Altman
>
> Derek Harkness wrote:
>
>     Here's what I'm trying to do, could someone please tell me if it's even
>     possible?
>    
>     I have two kerberos realms BAR.COM and FOO.BAR.COM and I've established a
>     kerberos trust between them.  All of my users exist in BAR.COM but allow them
>     to access my AFS cell foo.bar.com.  Currently whenever I try to get an AFS
>     tokens aklog reports aklog: KDC policy rejects request while getting AFS
>     tickets.
>    
>     So what am I doing wrong here?
>    
>     Thanks!
>     Derek
>    
>     "I do not believe that the same God who has endowed us with sense, reason, and
>     intellect has intended us to forgo their use"
>     -- Galileo Galilei
>

-- 
       Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory
       Member, MIT Student Information Processing Board  (SIPB)
       URL: http://web.mit.edu/warlord/    PP-ASEL-IA     N1NWH
       warlord@MIT.EDU                        PGP key available