[OpenAFS] MS Active Directory, Cross realm trust

Douglas E. Engert deengert@anl.gov
Wed, 01 Aug 2007 10:21:32 -0500 

Read the thread on "Username in pts". Your principal name as a . in it
sounds like the same problem.

Mikkel Kruse Johnsen wrote:
> Hi All
>=20
> I have a MS Active Directory (HHK.DK) that allmost all user are created=
=20
> in. I have a MIT Kerberos (CBS.DK) that I have some other users in.=20
> There is a two-way trust between them and I know that it works.
>=20
> I have a user mkj.lib@CBS.DK <mailto:mkj.lib@CBS.DK> in the MIT Kerbero=
s=20
> and a user mkj.lib@HHK.DK <mailto:mkj.lib@HHK.DK> in MS AD. The OpenAFS=
=20
> afs/sugi.cbs.dk token is in MIT Kerberos. Using my mkj.lib@CBS.DK=20
> <mailto:mkj.lib@CBS.DK> I can access my home dir in AFS, but when using=
=20
> mkj.lib@HHK.DK <mailto:mkj.lib@HHK.DK> it fails on aklog.
>=20
> Is this possible ?
>=20
> /Mikkel
>=20
> -----------------
>=20
> [mkj@sugi ~]$ kinit mkj.lib@HHK.DK <mailto:mkj.lib@HHK.DK>
> Password for mkj.lib@HHK.DK:
> [mkj@sugi ~]$ klist
> Ticket cache: FILE:/tmp/krb5cc_500
> Default principal: mkj.lib@HHK.DK <mailto:mkj.lib@HHK.DK>
>=20
> Valid starting     Expires            Service principal
> 08/01/07 13:32:26  08/01/07 23:32:29  krbtgt/HHK.DK@HHK.DK=20
> <mailto:HHK.DK@HHK.DK>
>         renew until 08/02/07 13:32:26
>=20
>=20
> Kerberos 4 ticket cache: /tmp/tkt500
> klist: You have no tickets cached
>=20
> ----------------
>=20
> [mkj@sugi ~]$ aklog
> aklog: Unknown code PT 8 so unable to create remote PTS user=20
> mkj.lib@hhk.dk in cell cbs.dk (status: 267272).
>=20
> ---------------
>=20
> [mkj@sugi ~]$ klist -e -f
> Ticket cache: FILE:/tmp/krb5cc_500
> Default principal: mkj.lib@HHK.DK <mailto:mkj.lib@HHK.DK>
>=20
> Valid starting     Expires            Service principal
> 08/01/07 13:32:26  08/01/07 23:32:29  krbtgt/HHK.DK@HHK.DK=20
> <mailto:HHK.DK@HHK.DK>
>         renew until 08/02/07 13:32:26, Flags: FRIA
>         Etype (skey, tkt): ArcFour with HMAC/md5, ArcFour with HMAC/md5
> 08/01/07 13:32:32  08/01/07 23:32:29  krbtgt/CBS.DK@HHK.DK=20
> <mailto:CBS.DK@HHK.DK>
>         renew until 08/02/07 13:32:26, Flags: FRAO
>         Etype (skey, tkt): DES cbc mode with CRC-32, DES cbc mode with=20
> RSA-MD5
> 08/01/07 13:32:32  08/01/07 23:32:29  afs/cbs.dk@CBS.DK=20
> <mailto:cbs.dk@CBS.DK>
>         renew until 08/01/07 13:32:32, Flags: FRAT
>         Etype (skey, tkt): DES cbc mode with CRC-32, DES cbc mode with=20
> CRC-32
>=20
>=20
> Kerberos 4 ticket cache: /tmp/tkt500
> klist: You have no tickets cached
> -------------
>=20
> Mikkel Kruse Johnsen
> Copenhagen Business School
> Solbjergplads
> 2100 Frederiksberg
>=20
> Mikkel Kruse Johnsen
> Linet
> =C3=98rholmgade 6 st tv
> 2200 K=C3=B8benhavn N
>=20
> Tlf: +45 2128 7793
> email: mikkel@linet.dk
> www: http://www.linet.dk
>=20

--=20

  Douglas E. Engert  <DEEngert@anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444