[OpenAFS] Cross Realm Kerberos+AFS

Douglas E. Engert deengert@anl.gov
Wed, 19 May 2004 11:14:48 -0500


As Ken pointed out, this looks like krb524d. It can return KRB5KDC_ERR_POLICY
if you try and use a V4 cross realm ticket, which is what krb524d is
doing for you. There are options in krb524d to use a V5 ticket which can 
handle cross realm for you. 



Derek Harkness wrote:
> 
> Cross realm kinit; aklog -d; klist -e -f
> 
> Valid starting     Expires            Service principal
> 05/19/04 07:41:17  05/19/04 17:41:15  krbtgt/UMD.UMICH.EDU@UMD.UMICH.EDU
>          Flags: FPIA, Etype (skey, tkt): Triple DES cbc mode with
> HMAC/sha1, Triple DES cbc mode with HMAC/sha1 05/19/04 07:41:18
> 05/19/04 17:41:15  krbtgt/ITS.UMD.UMICH.EDU@UMD.UMICH.EDU
>          Flags: FPAT, Etype (skey, tkt): Triple DES cbc mode with
> HMAC/sha1, DES cbc mode with CRC-32
> 05/19/04 07:41:18  05/19/04 17:41:15
> afs/its.umd.umich.edu@ITS.UMD.UMICH.EDU
>          Flags: FPAT, Etype (skey, tkt): DES cbc mode with CRC-32, DES
> cbc mode with CRC-32
> 
> Non-Cross realm kinit; aklog -d; klist -e -f
> Valid starting     Expires            Service principal
> 05/19/04 07:42:42  05/19/04 17:42:42
> krbtgt/ITS.UMD.UMICH.EDU@ITS.UMD.UMICH.EDU
>          Flags: FPIA, Etype (skey, tkt): DES cbc mode with CRC-32, DES
> cbc mode with CRC-32
> 05/19/04 07:42:56  05/19/04 17:42:42
> afs/its.umd.umich.edu@ITS.UMD.UMICH.EDU
>          Flags: FPAT, Etype (skey, tkt): DES cbc mode with CRC-32, DES
> cbc mode with CRC-32
> 
> Derek
> 
> On May 18, 2004, at 11:38 PM, Douglas E. Engert wrote:
> 
> > This is KRB5KDC_ERR_POLICY  As Jeff said, this would be transited
> > field.
> >
> > After you do a kinit and an "aklog -d"
> >  what does "klist -e -f" show?
> > Can you try this on both systems?

-- 

 Douglas E. Engert  <DEEngert@anl.gov>
 Argonne National Laboratory
 9700 South Cass Avenue
 Argonne, Illinois  60439 
 (630) 252-5444