[OpenAFS] Re: Mapping btw. AFS tokens and Kerberos tickets (Heimdal)

Coy Hile coy.hile@coyhile.ca
Tue, 8 Nov 2005 19:45:55 -0800 (PST)

On Tue, 8 Nov 2005, Florian Daniel Otel wrote:
> After some more digging I narrowed down the problem to aklog. The
> problem is that apparently "aklog" does some translation on the
> Kerberos principal name.
> In particular, if the Kerberos principal contains a "/"  -- like e.g.
> "florian/admin", aklog actually tries to resolve "florian.admin"
> instead (which doesn't exist in the cell) thus resolves it as ID 32766
> (i.e. "anonymous").
> kdc-hostname:~# kauth florian/admin
> florian/admin@DOMAIN.COM's Password:
> kauth: NOTICE: ticket renewable lifetime is 1 week
> kdc-hostname:~# aklog -d -force
> Authenticating to cell domain.com (server kdc-hostname.domain.com).
> We've deduced that we need to authenticate to realm DOMAIN.COM.
> Getting tickets: afs/domain.com@DOMAIN.COM
> About to resolve name florian.admin to id in cell domain.com.
> Id 32766
> Set username to florian.admin
> Setting tokens. florian.admin /  @ DOMAIN.COM
> kdc-hostname:~# tokens
> Tokens held by the Cache Manager:
> Tokens for afs@domain.com [Expires Nov  9 07:09]
>    --End of list--

Create your PTS usernames as florian.admin rather htan florian/admin (while
retaining the latter as your krb5 account names) and the transations will
be done automatically.

Coy Hile