[OpenAFS] Cross Realm Kerberos+AFS

Jeffrey Altman jaltman@columbia.edu
Tue, 18 May 2004 15:50:25 -0400


This is a cryptographically signed message in MIME format.

--------------ms040409000702000508050103
Content-Type: multipart/alternative;
 boundary="------------070308070702030507020501"

This is a multi-part message in MIME format.
--------------070308070702030507020501
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit

Can you give us the full output of aklog with the -d flag?



dharknes@umd.umich.edu wrote:

>I've got one.  Here is a my krb5.conf.  Also on the client side I even get the
>correct kerberos tickets, e.i. I get my afs ticket.
>
>[libdefaults]
>...
>
>[realms]
>        BAR.COM = {
>                kdc = kdc.bar.com
>                admin_server = kdc.bar.com
>        }
>
>        FOO.BAR.COM = {
>                kdc = kdc.foo.bar.com
>                admin_server = kdc.foo.bar.com
>        }
>
>[domain_realm]
>        .bar.com = BAR.COM
>        .foo.bar.com = FOO.BAR.COM
>
>[capaths]
>        BAR.COM = {
>                FOO.BAR.COM = .
>        }
>
>        FOO.BAR.COM = {
>                BAR.COM = .
>        }
>
>
>Thanks,
>Derek
>
>Quoting Jeffrey Altman <jaltman@columbia.edu>:
>
>
>>If you are using an MIT KDC then you need to add a [capaths] section to
>>your KDC's
>>krb5.conf and restart the KDC.
>>
>>The cross-realm trust path is not being accepted by the KDC.
>>
>>Jeffrey Altman
>>
>>Derek Harkness wrote:
>>
>>
>>>Here's what I'm trying to do, could someone please tell me if it's
>>>even possible?
>>>
>>>I have two kerberos realms BAR.COM and FOO.BAR.COM and I've
>>>established a kerberos trust between them.  All of my users exist in
>>>BAR.COM but allow them to access my AFS cell foo.bar.com.  Currently
>>>whenever I try to get an AFS tokens aklog reports aklog: KDC policy
>>>rejects request while getting AFS tickets.
>>>
>>>So what am I doing wrong here?
>>>
>>>Thanks!
>>>Derek
>>>
>>>"I do not believe that the same God who has endowed us with sense,
>>>reason, and intellect has intended us to forgo their use"
>>>-- Galileo Galilei
>>>
>>
>
>
>
>_______________________________________________
>OpenAFS-info mailing list
>OpenAFS-info@openafs.org
>https://lists.openafs.org/mailman/listinfo/openafs-info
>

--------------070308070702030507020501
Content-Type: text/html; charset=us-ascii
Content-Transfer-Encoding: 7bit

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
  <meta content="text/html;charset=ISO-8859-1" http-equiv="Content-Type">
  <title></title>
</head>
<body bgcolor="#ffffff" text="#000000">
<font face="Bitstream Cyberbit">Can you give us the full output of
aklog with the -d flag?<br>
<br>
<br>
<br>
<a class="moz-txt-link-abbreviated" href="mailto:dharknes@umd.umich.edu">dharknes@umd.umich.edu</a> wrote:<br>
</font>
<blockquote cite="mid1084909228.40aa66ac943c4@webmail.umd.umich.edu"
 type="cite">
  <pre wrap=""><font face="Bitstream Cyberbit">I've got one.  Here is a my krb5.conf.  Also on the client side I even get the
correct kerberos tickets, e.i. I get my afs ticket.

[libdefaults]
...

[realms]
        BAR.COM = {
                kdc = kdc.bar.com
                admin_server = kdc.bar.com
        }

        FOO.BAR.COM = {
                kdc = kdc.foo.bar.com
                admin_server = kdc.foo.bar.com
        }

[domain_realm]
        .bar.com = BAR.COM
        .foo.bar.com = FOO.BAR.COM

[capaths]
        BAR.COM = {
                FOO.BAR.COM = .
        }

        FOO.BAR.COM = {
                BAR.COM = .
        }


Thanks,
Derek

Quoting Jeffrey Altman &lt;<a class="moz-txt-link-abbreviated" href="mailto:jaltman@columbia.edu">jaltman@columbia.edu</a>&gt;:

</font></pre>
  <blockquote type="cite">
    <pre wrap=""><font face="Bitstream Cyberbit">If you are using an MIT KDC then you need to add a [capaths] section to
your KDC's
krb5.conf and restart the KDC.

The cross-realm trust path is not being accepted by the KDC.

Jeffrey Altman

Derek Harkness wrote:

</font></pre>
    <blockquote type="cite">
      <pre wrap=""><font face="Bitstream Cyberbit">Here's what I'm trying to do, could someone please tell me if it's
even possible?

I have two kerberos realms BAR.COM and FOO.BAR.COM and I've
established a kerberos trust between them.  All of my users exist in
BAR.COM but allow them to access my AFS cell foo.bar.com.  Currently
whenever I try to get an AFS tokens aklog reports aklog: KDC policy
rejects request while getting AFS tickets.

So what am I doing wrong here?

Thanks!
Derek

"I do not believe that the same God who has endowed us with sense,
reason, and intellect has intended us to forgo their use"
-- Galileo Galilei
</font></pre>
    </blockquote>
    <pre wrap=""><font face="Bitstream Cyberbit">
</font></pre>
  </blockquote>
  <pre wrap=""><!----><font face="Bitstream Cyberbit">


_______________________________________________
OpenAFS-info mailing list
<a class="moz-txt-link-abbreviated" href="mailto:OpenAFS-info@openafs.org">OpenAFS-info@openafs.org</a>
<a class="moz-txt-link-freetext" href="https://lists.openafs.org/mailman/listinfo/openafs-info">https://lists.openafs.org/mailman/listinfo/openafs-info</a>
</font></pre>
</blockquote>
</body>
</html>

--------------070308070702030507020501--

--------------ms040409000702000508050103
Content-Type: application/x-pkcs7-signature; name="smime.p7s"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="smime.p7s"
Content-Description: S/MIME Cryptographic Signature

MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIIJOzCC
AvgwggJhoAMCAQICAwwjmjANBgkqhkiG9w0BAQQFADBiMQswCQYDVQQGEwJaQTElMCMGA1UE
ChMcVGhhd3RlIENvbnN1bHRpbmcgKFB0eSkgTHRkLjEsMCoGA1UEAxMjVGhhd3RlIFBlcnNv
bmFsIEZyZWVtYWlsIElzc3VpbmcgQ0EwHhcNMDQwNDE2MDIxODM0WhcNMDUwNDE2MDIxODM0
WjBGMR8wHQYDVQQDExZUaGF3dGUgRnJlZW1haWwgTWVtYmVyMSMwIQYJKoZIhvcNAQkBFhRq
YWx0bWFuQGNvbHVtYmlhLmVkdTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKyS
7eWrak81hbARkTT+lqX+uujXLK3tDmCn/6IQH9tDKYtf5A8/llZJdPYHUA9p1FH9hwk23iGY
scSkJq84FJenlWKOOqOsT6BlueWsrlKuseJCdMf9uhN28p+UnZvrcVhcLLTYfRvQT9OUw/k3
h4TzNdyAXbBJ3LnL1ySbFRaNVkq7cW/2ircAWpcyqHH4ZKstdSLbo6axsDHWRZL8yHUsI1Gz
esRSYQf2aUeUqvmGbEKEKFwbfqgfLwlBLiv1Lqib/++J3s5g3syhqWe3T8tUffmhdibUdX2W
umT2uiWl/WGEBvc1+o5k0T2JqWMNR9VgzPyk8P+iZRHl76Yb49ECAwEAAaNUMFIwDgYDVR0P
AQH/BAQDAgP4MBEGCWCGSAGG+EIBAQQEAwIFoDAfBgNVHREEGDAWgRRqYWx0bWFuQGNvbHVt
YmlhLmVkdTAMBgNVHRMBAf8EAjAAMA0GCSqGSIb3DQEBBAUAA4GBAGXYUcZvaLEqctXUsgt0
fUMFXukM3E5fpLBkk3+BbcY457WQE38ZM1AOvcYOHqB1xhJCxP1U0pSJu2Xfe9Z1M2mU4C4V
2w4sDcWkZteM9EW7VYbXzSCKCw0TKKp3Wl9TFIWFdiFwPvhOzhXUonGTdYbOvRuAXQuJdNQW
O4v2sQg1MIIC+DCCAmGgAwIBAgIDDCOaMA0GCSqGSIb3DQEBBAUAMGIxCzAJBgNVBAYTAlpB
MSUwIwYDVQQKExxUaGF3dGUgQ29uc3VsdGluZyAoUHR5KSBMdGQuMSwwKgYDVQQDEyNUaGF3
dGUgUGVyc29uYWwgRnJlZW1haWwgSXNzdWluZyBDQTAeFw0wNDA0MTYwMjE4MzRaFw0wNTA0
MTYwMjE4MzRaMEYxHzAdBgNVBAMTFlRoYXd0ZSBGcmVlbWFpbCBNZW1iZXIxIzAhBgkqhkiG
9w0BCQEWFGphbHRtYW5AY29sdW1iaWEuZWR1MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB
CgKCAQEArJLt5atqTzWFsBGRNP6Wpf666Ncsre0OYKf/ohAf20Mpi1/kDz+WVkl09gdQD2nU
Uf2HCTbeIZixxKQmrzgUl6eVYo46o6xPoGW55ayuUq6x4kJ0x/26E3byn5Sdm+txWFwstNh9
G9BP05TD+TeHhPM13IBdsEncucvXJJsVFo1WSrtxb/aKtwBalzKocfhkqy11ItujprGwMdZF
kvzIdSwjUbN6xFJhB/ZpR5Sq+YZsQoQoXBt+qB8vCUEuK/UuqJv/74nezmDezKGpZ7dPy1R9
+aF2JtR1fZa6ZPa6JaX9YYQG9zX6jmTRPYmpYw1H1WDM/KTw/6JlEeXvphvj0QIDAQABo1Qw
UjAOBgNVHQ8BAf8EBAMCA/gwEQYJYIZIAYb4QgEBBAQDAgWgMB8GA1UdEQQYMBaBFGphbHRt
YW5AY29sdW1iaWEuZWR1MAwGA1UdEwEB/wQCMAAwDQYJKoZIhvcNAQEEBQADgYEAZdhRxm9o
sSpy1dSyC3R9QwVe6QzcTl+ksGSTf4FtxjjntZATfxkzUA69xg4eoHXGEkLE/VTSlIm7Zd97
1nUzaZTgLhXbDiwNxaRm14z0RbtVhtfNIIoLDRMoqndaX1MUhYV2IXA++E7OFdSicZN1hs69
G4BdC4l01BY7i/axCDUwggM/MIICqKADAgECAgENMA0GCSqGSIb3DQEBBQUAMIHRMQswCQYD
VQQGEwJaQTEVMBMGA1UECBMMV2VzdGVybiBDYXBlMRIwEAYDVQQHEwlDYXBlIFRvd24xGjAY
BgNVBAoTEVRoYXd0ZSBDb25zdWx0aW5nMSgwJgYDVQQLEx9DZXJ0aWZpY2F0aW9uIFNlcnZp
Y2VzIERpdmlzaW9uMSQwIgYDVQQDExtUaGF3dGUgUGVyc29uYWwgRnJlZW1haWwgQ0ExKzAp
BgkqhkiG9w0BCQEWHHBlcnNvbmFsLWZyZWVtYWlsQHRoYXd0ZS5jb20wHhcNMDMwNzE3MDAw
MDAwWhcNMTMwNzE2MjM1OTU5WjBiMQswCQYDVQQGEwJaQTElMCMGA1UEChMcVGhhd3RlIENv
bnN1bHRpbmcgKFB0eSkgTHRkLjEsMCoGA1UEAxMjVGhhd3RlIFBlcnNvbmFsIEZyZWVtYWls
IElzc3VpbmcgQ0EwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAMSmPFVzVftOucqZWh5o
wHUEcJ3f6f+jHuy9zfVb8hp2vX8MOmHyv1HOAdTlUAow1wJjWiyJFXCO3cnwK4Vaqj9xVsuv
PAsH5/EfkTYkKhPPK9Xzgnc9A74r/rsYPge/QIACZNenprufZdHFKlSFD0gEf6e20TxhBEAe
ZBlyYLf7AgMBAAGjgZQwgZEwEgYDVR0TAQH/BAgwBgEB/wIBADBDBgNVHR8EPDA6MDigNqA0
hjJodHRwOi8vY3JsLnRoYXd0ZS5jb20vVGhhd3RlUGVyc29uYWxGcmVlbWFpbENBLmNybDAL
BgNVHQ8EBAMCAQYwKQYDVR0RBCIwIKQeMBwxGjAYBgNVBAMTEVByaXZhdGVMYWJlbDItMTM4
MA0GCSqGSIb3DQEBBQUAA4GBAEiM0VCD6gsuzA2jZqxnD3+vrL7CF6FDlpSdf0whuPg2H6ot
nzYvwPQcUCCTcDz9reFhYsPZOhl+hLGZGwDFGguCdJ4lUJRix9sncVcljd2pnDmOjCBPZV+V
2vf3h9bGCE6u9uo05RAaWzVNd+NWIXiC3CEZNd4ksdMdRv9dX2VPMYIDOzCCAzcCAQEwaTBi
MQswCQYDVQQGEwJaQTElMCMGA1UEChMcVGhhd3RlIENvbnN1bHRpbmcgKFB0eSkgTHRkLjEs
MCoGA1UEAxMjVGhhd3RlIFBlcnNvbmFsIEZyZWVtYWlsIElzc3VpbmcgQ0ECAwwjmjAJBgUr
DgMCGgUAoIIBpzAYBgkqhkiG9w0BCQMxCwYJKoZIhvcNAQcBMBwGCSqGSIb3DQEJBTEPFw0w
NDA1MTgxOTUwMjVaMCMGCSqGSIb3DQEJBDEWBBQ+VGv+bfhVyf8ya7fhyjol5l9x0DBSBgkq
hkiG9w0BCQ8xRTBDMAoGCCqGSIb3DQMHMA4GCCqGSIb3DQMCAgIAgDANBggqhkiG9w0DAgIB
QDAHBgUrDgMCBzANBggqhkiG9w0DAgIBKDB4BgkrBgEEAYI3EAQxazBpMGIxCzAJBgNVBAYT
AlpBMSUwIwYDVQQKExxUaGF3dGUgQ29uc3VsdGluZyAoUHR5KSBMdGQuMSwwKgYDVQQDEyNU
aGF3dGUgUGVyc29uYWwgRnJlZW1haWwgSXNzdWluZyBDQQIDDCOaMHoGCyqGSIb3DQEJEAIL
MWugaTBiMQswCQYDVQQGEwJaQTElMCMGA1UEChMcVGhhd3RlIENvbnN1bHRpbmcgKFB0eSkg
THRkLjEsMCoGA1UEAxMjVGhhd3RlIFBlcnNvbmFsIEZyZWVtYWlsIElzc3VpbmcgQ0ECAwwj
mjANBgkqhkiG9w0BAQEFAASCAQBy9JSse+JSDGPXmtPz9rdetzhEKM1ColNIReAYL8JiDWvO
OP8w/USzkZ7sVjj5hMgnhNug/1FeD9NfEvNOwH9NvkxyntmY30CK23zupklU+L4ooMbenrrI
XAgaizkYpsbpuvwodtHIzwn2Ca2+YQKfBBOOkqgCN82xNAlfGVj5tbih+Sxa1YSyHtEJ/a6H
hZalHg9Jzwnnux9GRNpC+UoSql/UBNlaxFNR/gWiDsVdPnsJsRmq+v5MG+lb3jiu7R8jTWXu
053/43MnYD8b73HyWnunzRMURLpNf4Qh4Lr5yjYJJBN9koGvjuZlphps8DoWy4fzk2z9ENj9
oZQJ8AEqAAAAAAAA
--------------ms040409000702000508050103--