[OpenAFS] Cross Realm Kerberos+AFS

Derek Harkness dharknes@umd.umich.edu
Wed, 19 May 2004 12:53:00 -0400 

Woohoo!!! I got a different error.  Thanks for all the HELP!

The magic switch is -X on krb524d.

The new error is

aklog: Badly formed name (group prefix doesn't match owner?) so unable 
to create remote PTS user dharknes@umd.umich.edu in cell 
its.umd.umich.edu (status: 267272)

This is where I need to create a system:authuser@umd.umich.edu. Right?

Thanks again,
Derek

On May 19, 2004, at 12:14 PM, Douglas E. Engert wrote:

> As Ken pointed out, this looks like krb524d. It can return 
> KRB5KDC_ERR_POLICY
> if you try and use a V4 cross realm ticket, which is what krb524d is
> doing for you. There are options in krb524d to use a V5 ticket which 
> can
> handle cross realm for you.
>
>
>
> Derek Harkness wrote:
>>
>> Cross realm kinit; aklog -d; klist -e -f
>>
>> Valid starting     Expires            Service principal
>> 05/19/04 07:41:17  05/19/04 17:41:15  
>> krbtgt/UMD.UMICH.EDU@UMD.UMICH.EDU
>>          Flags: FPIA, Etype (skey, tkt): Triple DES cbc mode with
>> HMAC/sha1, Triple DES cbc mode with HMAC/sha1 05/19/04 07:41:18
>> 05/19/04 17:41:15  krbtgt/ITS.UMD.UMICH.EDU@UMD.UMICH.EDU
>>          Flags: FPAT, Etype (skey, tkt): Triple DES cbc mode with
>> HMAC/sha1, DES cbc mode with CRC-32
>> 05/19/04 07:41:18  05/19/04 17:41:15
>> afs/its.umd.umich.edu@ITS.UMD.UMICH.EDU
>>          Flags: FPAT, Etype (skey, tkt): DES cbc mode with CRC-32, DES
>> cbc mode with CRC-32
>>
>> Non-Cross realm kinit; aklog -d; klist -e -f
>> Valid starting     Expires            Service principal
>> 05/19/04 07:42:42  05/19/04 17:42:42
>> krbtgt/ITS.UMD.UMICH.EDU@ITS.UMD.UMICH.EDU
>>          Flags: FPIA, Etype (skey, tkt): DES cbc mode with CRC-32, DES
>> cbc mode with CRC-32
>> 05/19/04 07:42:56  05/19/04 17:42:42
>> afs/its.umd.umich.edu@ITS.UMD.UMICH.EDU
>>          Flags: FPAT, Etype (skey, tkt): DES cbc mode with CRC-32, DES
>> cbc mode with CRC-32
>>
>> Derek
>>
>> On May 18, 2004, at 11:38 PM, Douglas E. Engert wrote:
>>
>>> This is KRB5KDC_ERR_POLICY  As Jeff said, this would be transited
>>> field.
>>>
>>> After you do a kinit and an "aklog -d"
>>>  what does "klist -e -f" show?
>>> Can you try this on both systems?
>
> -- 
>
>  Douglas E. Engert  <DEEngert@anl.gov>
>  Argonne National Laboratory
>  9700 South Cass Avenue
>  Argonne, Illinois  60439
>  (630) 252-5444
>