[OpenAFS] Cross Realm Kerberos+AFS
dharknes@umd.umich.edu
dharknes@umd.umich.edu
Tue, 18 May 2004 15:40:28 -0400
I've got one. Here is a my krb5.conf. Also on the client side I even ge=
t the
correct kerberos tickets, e.i. I get my afs ticket.
[libdefaults]
...
[realms]
BAR.COM =3D {
kdc =3D kdc.bar.com
admin_server =3D kdc.bar.com
}
FOO.BAR.COM =3D {
kdc =3D kdc.foo.bar.com
admin_server =3D kdc.foo.bar.com
}
[domain_realm]
.bar.com =3D BAR.COM
.foo.bar.com =3D FOO.BAR.COM
[capaths]
BAR.COM =3D {
FOO.BAR.COM =3D .
}
FOO.BAR.COM =3D {
BAR.COM =3D .
}
Thanks,
Derek
Quoting Jeffrey Altman <jaltman@columbia.edu>:
> If you are using an MIT KDC then you need to add a [capaths] section to
> your KDC's
> krb5.conf and restart the KDC.
>
> The cross-realm trust path is not being accepted by the KDC.
>
> Jeffrey Altman
>
> Derek Harkness wrote:
>
> > Here's what I'm trying to do, could someone please tell me if it's
> > even possible?
> >
> > I have two kerberos realms BAR.COM and FOO.BAR.COM and I've
> > established a kerberos trust between them. All of my users exist in
> > BAR.COM but allow them to access my AFS cell foo.bar.com. Currently
> > whenever I try to get an AFS tokens aklog reports aklog: KDC policy
> > rejects request while getting AFS tickets.
> >
> > So what am I doing wrong here?
> >
> > Thanks!
> > Derek
> >
> > "I do not believe that the same God who has endowed us with sense,
> > reason, and intellect has intended us to forgo their use"
> > -- Galileo Galilei
>
>