[OpenAFS] Tokens, Tickets and two cells...

Christopher D. Clausen cclausen@acm.org
Wed, 20 Oct 2004 04:16:22 -0500


Frank Burkhardt wrote:
> Hi,
>
> I've got 2 independent AFS-cells ('alpha' and 'omega'),
> authentication is
> done by using MIT5-Kerberos and two different realms ('ALPHA' and
> 'OMEGA'),
> DB-Servers are published in DNS (-> AFSDB).
>
> The Realms trust each other (krbtgt/ALPHA@OMEGA and krbtgt/OMEGA@ALPHA
> exist) and I can get i.e. tokens for 'omega' while being
> authenticated to 'ALPHA'. But the fileservers dont like those tokens:
>
[snip]
>
> There's no 'frank@alpha' in the (omega-) PTDB. 'frank' is a valid
> PT-user.
> How can I force Kerberos, aklog or the AFS-fileserver to use 'frank'
> instead of 'frank@alpha' as principal name?

You might want to read through this thread if you haven't already:
https://lists.openafs.org/pipermail/openafs-info/2004-August/014485.html

I'm pretty sure you are describing a similar situation to what I had and 
I'm pretty sure that you will either need modifications to your KDCs to 
treat the foreign users as local or setup proper support for foreign 
users.

I have made modifications to the Kerberos libraries on my AFS servers so 
that gssklogd will treat credentials from foreign realms as local users 
and return the correct token to the user.  Of course, there is no 
support for gssklog in the AFS clients and each client machine will need 
a gssklog program to obtain tickets.

<<CDC
Christopher D. Clausen
ACM@UIUC SysAdmin