[OpenAFS] Tokens, Tickets and two cells...
Christopher D. Clausen
cclausen@acm.org
Wed, 20 Oct 2004 04:16:22 -0500
Frank Burkhardt wrote:
> Hi,
>
> I've got 2 independent AFS-cells ('alpha' and 'omega'),
> authentication is
> done by using MIT5-Kerberos and two different realms ('ALPHA' and
> 'OMEGA'),
> DB-Servers are published in DNS (-> AFSDB).
>
> The Realms trust each other (krbtgt/ALPHA@OMEGA and krbtgt/OMEGA@ALPHA
> exist) and I can get i.e. tokens for 'omega' while being
> authenticated to 'ALPHA'. But the fileservers dont like those tokens:
>
[snip]
>
> There's no 'frank@alpha' in the (omega-) PTDB. 'frank' is a valid
> PT-user.
> How can I force Kerberos, aklog or the AFS-fileserver to use 'frank'
> instead of 'frank@alpha' as principal name?
You might want to read through this thread if you haven't already:
https://lists.openafs.org/pipermail/openafs-info/2004-August/014485.html
I'm pretty sure you are describing a similar situation to what I had and
I'm pretty sure that you will either need modifications to your KDCs to
treat the foreign users as local or setup proper support for foreign
users.
I have made modifications to the Kerberos libraries on my AFS servers so
that gssklogd will treat credentials from foreign realms as local users
and return the correct token to the user. Of course, there is no
support for gssklog in the AFS clients and each client machine will need
a gssklog program to obtain tickets.
<<CDC
Christopher D. Clausen
ACM@UIUC SysAdmin