[OpenAFS] Cross Realm Kerberos+AFS
Douglas E. Engert
deengert@anl.gov
Wed, 19 May 2004 11:14:48 -0500
As Ken pointed out, this looks like krb524d. It can return KRB5KDC_ERR_POLICY
if you try and use a V4 cross realm ticket, which is what krb524d is
doing for you. There are options in krb524d to use a V5 ticket which can
handle cross realm for you.
Derek Harkness wrote:
>
> Cross realm kinit; aklog -d; klist -e -f
>
> Valid starting Expires Service principal
> 05/19/04 07:41:17 05/19/04 17:41:15 krbtgt/UMD.UMICH.EDU@UMD.UMICH.EDU
> Flags: FPIA, Etype (skey, tkt): Triple DES cbc mode with
> HMAC/sha1, Triple DES cbc mode with HMAC/sha1 05/19/04 07:41:18
> 05/19/04 17:41:15 krbtgt/ITS.UMD.UMICH.EDU@UMD.UMICH.EDU
> Flags: FPAT, Etype (skey, tkt): Triple DES cbc mode with
> HMAC/sha1, DES cbc mode with CRC-32
> 05/19/04 07:41:18 05/19/04 17:41:15
> afs/its.umd.umich.edu@ITS.UMD.UMICH.EDU
> Flags: FPAT, Etype (skey, tkt): DES cbc mode with CRC-32, DES
> cbc mode with CRC-32
>
> Non-Cross realm kinit; aklog -d; klist -e -f
> Valid starting Expires Service principal
> 05/19/04 07:42:42 05/19/04 17:42:42
> krbtgt/ITS.UMD.UMICH.EDU@ITS.UMD.UMICH.EDU
> Flags: FPIA, Etype (skey, tkt): DES cbc mode with CRC-32, DES
> cbc mode with CRC-32
> 05/19/04 07:42:56 05/19/04 17:42:42
> afs/its.umd.umich.edu@ITS.UMD.UMICH.EDU
> Flags: FPAT, Etype (skey, tkt): DES cbc mode with CRC-32, DES
> cbc mode with CRC-32
>
> Derek
>
> On May 18, 2004, at 11:38 PM, Douglas E. Engert wrote:
>
> > This is KRB5KDC_ERR_POLICY As Jeff said, this would be transited
> > field.
> >
> > After you do a kinit and an "aklog -d"
> > what does "klist -e -f" show?
> > Can you try this on both systems?
--
Douglas E. Engert <DEEngert@anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444