[OpenAFS] Tokens, Tickets and two cells...

Frank Burkhardt fbo2@gmx.net
Wed, 20 Oct 2004 10:52:04 +0200 

Hi,

I've got 2 independent AFS-cells ('alpha' and 'omega'), authentication is
done by using MIT5-Kerberos and two different realms ('ALPHA' and 'OMEGA'),
DB-Servers are published in DNS (-> AFSDB).

The Realms trust each other (krbtgt/ALPHA@OMEGA and krbtgt/OMEGA@ALPHA
exist) and I can get i.e. tokens for 'omega' while being authenticated to
'ALPHA'. But the fileservers dont like those tokens:

 $ hostname -f
 pandora.omega
 $ kinit frank@ALPHA
 Password for frank@ALPHA:
 $ aklog -c omega
 $ klist -5
 Ticket cache: FILE:/tmp/krb5cc_1000_Dc2194
 Default principal: frank@ALPHA
 
 Valid starting     Expires            Service principal
 10/20/04 10:27:37  10/20/04 20:27:21  krbtgt/ALPHA@ALPHA
 10/20/04 10:27:48  10/20/04 20:27:21  krbtgt/OMEGA@ALPHA
 10/20/04 10:27:48  10/20/04 20:27:21  afs@OMEGA

(The PT-Server seems not to know my Name: )

 $ tokens
 
 Tokens held by the Cache Manager:
 
 Tokens for afs@omega [Expires Oct 20 20:27]
    --End of list--

(Now I do a write access that affects ownership: )

 $ touch /afs/omega/temp/x
 $ ls -la /afs/omega/temp/x
 -rw-r--r--  1 anonymous nogroup 0 Oct 20 10:19 /afs/omega/temp/x
 
The fileserver knows that the token is valid but he can't PT-resolv
the contained principal 'frank@alpha'.

 Wed Oct 20 10:19:43 2004 FindClient: authenticating connection: authClass=2
 Wed Oct 20 10:19:43 2004 FindClient: rxkad conn: name=frank,inst=,cell=ALPHA,exp=1098296369,kvno=213
 Wed Oct 20 10:19:43 2004 MapName: cell is foreign.  cell=ALPHA, localcell=omega, localrealm=omega
 Wed Oct 20 10:19:43 2004 MapName: NameToId on frank@alpha returns anonymousID
 Wed Oct 20 10:19:43 2004 SAFS_CreateFile x,  Did = 536870945.1.1, Host 10.0.2.1, Id 32766
 Wed Oct 20 10:19:43 2004 BCB: BreakCallBack(all but 102000a.7001, (536870945,1,1))
 Wed Oct 20 10:19:43 2004 SAFS_CreateFile returns 0
 Wed Oct 20 10:19:43 2004 SAFS_StoreStatus,  Fid = 536870945.8.16, Host 10.0.2.1, Id 32766
 Wed Oct 20 10:19:43 2004 BCB: BreakCallBack(all but 102000a.7001, (536870945,8,16))
 Wed Oct 20 10:19:43 2004 SAFS_StoreStatus returns 0
 
There's no 'frank@alpha' in the (omega-) PTDB. 'frank' is a valid PT-user.
How can I force Kerberos, aklog or the AFS-fileserver to use 'frank' instead
of 'frank@alpha' as principal name?

Is a general mapping possible ( -> s/(.*)\@alpha/$1/ ) ?

PS: I tried to create the additional PT-user 'frank@alpha' in the 'omega'-PTDB - 
    '@'-characters are not allowed.

Thank you in advance.

Regards,

Frank