[OpenAFS] cross-realm auth and windows gui

Christopher D. Clausen cclausen@acm.org
Fri, 3 Nov 2006 09:38:03 -0600

Dave Botsch <botsch@cnf.cornell.edu> wrote:
> I've been looking into doing cross-realm auth with afs. For the most
> part, it looks like this is pretty darn easy...
> setup the system:authuser@foreignrealm group
> kinit in the foreign realm, run aklog/afslog -- this creates the pts
> entry
> add any afs acls

You can also just have afs service principals from BOTH realms added to 
the KeyFile on your servers.  This is what I have done.  This allows 
users in both realms to authenticate as the same pts id.

cclausen@AD.UIUC.EDU -> cclausen (25160 in acm.uiuc.edu)
cclausen@ACM.UIUC.EDU -> cclausen (25160 in acm.uiuc.edu)

This is significantly less confusing to the user, although it assumes 
that you can trust that users in each realm are the same actual person.

> This leaves Windows... I see that Windows does come w. an
> aklog.exe... so, presumably, I could write a script to do the
> kinit/aklog.exe...

I have an aklog.cmd script:
@echo off
IF "%1" == "" (
        echo running aklog.exe -cell acm.uiuc.edu -k AD.UIUC.EDU -5
        aklog.exe -cell acm.uiuc.edu -k AD.UIUC.EDU -5
) ELSE (
        aklog.exe %*

By default, my Windows machines will attempt to use AD creds to obtain 
tokens when users type in "aklog."  you either need to explicitly use 
aklog.exe or just specify some other aklog options to have the default 

I have a login script (in the Start Menu "Startup") that runs the 

@echo off
IF "%USERNAME%" == "install" (
  rem Put user's session into install mode
  change user /install
) ELSE (
  rem Do things for remote users
  aklog.exe -cell acm.uiuc.edu -k AD.UIUC.EDU

> what about the afscreds.exe gui in 1.4.2? Is there a way to tell it
> that the kerberos tickets are in realm A but it needs to get an afs
> service ticket in realm B?

This is possible from KfW with the AFS plugin (included in 1.5.10.)  I 
haven't figured out how to do it from the afscreds gui.

Christopher D. Clausen