[OpenAFS] MS Active Directory, Cross realm trust

Mikkel Kruse Johnsen mikkel@linet.dk
Wed, 01 Aug 2007 13:42:16 +0200 

--=-o9CqPKVJYlFNnjkr5bDg
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Hi All

I have a MS Active Directory (HHK.DK) that allmost all user are created
in. I have a MIT Kerberos (CBS.DK) that I have some other users in.
There is a two-way trust between them and I know that it works.

I have a user mkj.lib@CBS.DK in the MIT Kerberos and a user
mkj.lib@HHK.DK in MS AD. The OpenAFS afs/sugi.cbs.dk token is in MIT
Kerberos. Using my mkj.lib@CBS.DK I can access my home dir in AFS, but
when using mkj.lib@HHK.DK it fails on aklog.

Is this possible ?

/Mikkel

-----------------

[mkj@sugi ~]$ kinit mkj.lib@HHK.DK
Password for mkj.lib@HHK.DK: 
[mkj@sugi ~]$ klist 
Ticket cache: FILE:/tmp/krb5cc_500
Default principal: mkj.lib@HHK.DK

Valid starting     Expires            Service principal
08/01/07 13:32:26  08/01/07 23:32:29  krbtgt/HHK.DK@HHK.DK
        renew until 08/02/07 13:32:26


Kerberos 4 ticket cache: /tmp/tkt500
klist: You have no tickets cached

----------------

[mkj@sugi ~]$ aklog 
aklog: Unknown code PT 8 so unable to create remote PTS user
mkj.lib@hhk.dk in cell cbs.dk (status: 267272).

---------------

[mkj@sugi ~]$ klist -e -f
Ticket cache: FILE:/tmp/krb5cc_500
Default principal: mkj.lib@HHK.DK

Valid starting     Expires            Service principal
08/01/07 13:32:26  08/01/07 23:32:29  krbtgt/HHK.DK@HHK.DK
        renew until 08/02/07 13:32:26, Flags: FRIA
        Etype (skey, tkt): ArcFour with HMAC/md5, ArcFour with HMAC/md5 
08/01/07 13:32:32  08/01/07 23:32:29  krbtgt/CBS.DK@HHK.DK
        renew until 08/02/07 13:32:26, Flags: FRAO
        Etype (skey, tkt): DES cbc mode with CRC-32, DES cbc mode with
RSA-MD5 
08/01/07 13:32:32  08/01/07 23:32:29  afs/cbs.dk@CBS.DK
        renew until 08/01/07 13:32:32, Flags: FRAT
        Etype (skey, tkt): DES cbc mode with CRC-32, DES cbc mode with
CRC-32 


Kerberos 4 ticket cache: /tmp/tkt500
klist: You have no tickets cached
-------------

Mikkel Kruse Johnsen
Copenhagen Business School
Solbjergplads
2100 Frederiksberg
Mikkel Kruse Johnsen
Linet
Ørholmgade 6 st tv
2200 København N

Tlf: +45 2128 7793
email: mikkel@linet.dk
www: http://www.linet.dk

--=-o9CqPKVJYlFNnjkr5bDg
Content-Type: text/html; charset=utf-8
Content-Transfer-Encoding: 7bit

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 TRANSITIONAL//EN">
<HTML>
<HEAD>
  <META HTTP-EQUIV="Content-Type" CONTENT="text/html; CHARSET=UTF-8">
  <META NAME="GENERATOR" CONTENT="GtkHTML/3.14.3">
</HEAD>
<BODY>
Hi All<BR>
<BR>
I have a MS Active Directory (HHK.DK) that allmost all user are created in. I have a MIT Kerberos (CBS.DK) that I have some other users in. There is a two-way trust between them and I know that it works.<BR>
<BR>
I have a user <A HREF="mailto:mkj.lib@CBS.DK">mkj.lib@CBS.DK</A> in the MIT Kerberos and a user <A HREF="mailto:mkj.lib@HHK.DK">mkj.lib@HHK.DK</A> in MS AD. The OpenAFS afs/sugi.cbs.dk token is in MIT Kerberos. Using my <A HREF="mailto:mkj.lib@CBS.DK">mkj.lib@CBS.DK</A> I can access my home dir in AFS, but when using <A HREF="mailto:mkj.lib@HHK.DK">mkj.lib@HHK.DK</A> it fails on aklog.<BR>
<BR>
Is this possible ?<BR>
<BR>
/Mikkel<BR>
<BR>
-----------------<BR>
<BR>
[mkj@sugi ~]$ kinit <A HREF="mailto:mkj.lib@HHK.DK">mkj.lib@HHK.DK</A><BR>
Password for mkj.lib@HHK.DK: <BR>
[mkj@sugi ~]$ klist <BR>
Ticket cache: FILE:/tmp/krb5cc_500<BR>
Default principal: <A HREF="mailto:mkj.lib@HHK.DK">mkj.lib@HHK.DK</A><BR>
<BR>
Valid starting&nbsp;&nbsp;&nbsp;&nbsp; Expires&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Service principal<BR>
08/01/07 13:32:26&nbsp; 08/01/07 23:32:29&nbsp; krbtgt/<A HREF="mailto:HHK.DK@HHK.DK">HHK.DK@HHK.DK</A><BR>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; renew until 08/02/07 13:32:26<BR>
<BR>
<BR>
Kerberos 4 ticket cache: /tmp/tkt500<BR>
klist: You have no tickets cached<BR>
<BR>
----------------<BR>
<BR>
[mkj@sugi ~]$ aklog <BR>
aklog: Unknown code PT 8 so unable to create remote PTS user mkj.lib@hhk.dk in cell cbs.dk (status: 267272).<BR>
<BR>
---------------<BR>
<BR>
[mkj@sugi ~]$ klist -e -f<BR>
Ticket cache: FILE:/tmp/krb5cc_500<BR>
Default principal: <A HREF="mailto:mkj.lib@HHK.DK">mkj.lib@HHK.DK</A><BR>
<BR>
Valid starting&nbsp;&nbsp;&nbsp;&nbsp; Expires&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Service principal<BR>
08/01/07 13:32:26&nbsp; 08/01/07 23:32:29&nbsp; krbtgt/<A HREF="mailto:HHK.DK@HHK.DK">HHK.DK@HHK.DK</A><BR>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; renew until 08/02/07 13:32:26, Flags: FRIA<BR>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Etype (skey, tkt): ArcFour with HMAC/md5, ArcFour with HMAC/md5 <BR>
08/01/07 13:32:32&nbsp; 08/01/07 23:32:29&nbsp; krbtgt/<A HREF="mailto:CBS.DK@HHK.DK">CBS.DK@HHK.DK</A><BR>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; renew until 08/02/07 13:32:26, Flags: FRAO<BR>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Etype (skey, tkt): DES cbc mode with CRC-32, DES cbc mode with RSA-MD5 <BR>
08/01/07 13:32:32&nbsp; 08/01/07 23:32:29&nbsp; afs/<A HREF="mailto:cbs.dk@CBS.DK">cbs.dk@CBS.DK</A><BR>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; renew until 08/01/07 13:32:32, Flags: FRAT<BR>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Etype (skey, tkt): DES cbc mode with CRC-32, DES cbc mode with CRC-32 <BR>
<BR>
<BR>
Kerberos 4 ticket cache: /tmp/tkt500<BR>
klist: You have no tickets cached<BR>
-------------<BR>
<BR>
<TABLE CELLSPACING="0" CELLPADDING="0" WIDTH="100%">
<TR>
<TD>
Mikkel Kruse Johnsen<BR>
Copenhagen Business School<BR>
Solbjergplads<BR>
2100 Frederiksberg
</TD>
</TR>
</TABLE>
<TABLE CELLSPACING="0" CELLPADDING="0" WIDTH="100%">
<TR>
<TD>
Mikkel Kruse Johnsen<BR>
Linet<BR>
&#216;rholmgade 6 st tv<BR>
2200 K&#248;benhavn N<BR>
<BR>
Tlf: +45 2128 7793<BR>
email: mikkel@linet.dk<BR>
www: http://www.linet.dk
</TD>
</TR>
</TABLE>
</BODY>
</HTML>

--=-o9CqPKVJYlFNnjkr5bDg--