[OpenAFS] how to set up cross cell trust
Chen, Wen-shiang
chenws47@ku.edu
Tue, 1 May 2007 13:45:03 -0500
This is a multi-part message in MIME format.
------_=_NextPart_001_01C78C20.D471F058
Content-Type: text/plain;
charset="US-ASCII"
Content-Transfer-Encoding: quoted-printable
Hi, I am quite new to afs, so sorry if this question is too basic. I
have almost no understanding of Kerberos either. The original request
was to set up a cross realm trust between a running AFS server and
university's AD. But before doing that, I think it might be safer to
try things out on machines in my office. So I have set up an AFS cell,
atmo.ku.edu, on one of the Linux boxes here. And after reading several
articles about setting AD as KDC for AFS, I thought what I need to do
are (1) share a key between atmo.ku.edu (testing cell) and ku.edu
(working cell) (2) create a special group system:authuser@ku.edu on cell
atmo.ku.edu.
=20
By issuing the command,
pts add system:authuser@ku.edu -o system:administrators
I can create the group system:authuser@ku.edu on cell atmo.ku.edu. And
it can be seen by issuing the command
pts listent -g
=20
Then I encounter problems in how to share keys between the two cells.
And I have many questions:
(1) How to create the share key?
I have tried pts add krbtgt/ATMO.KU.EDU@KU.EDU, but got an error
message for missing required parameter -group
I have also tried uss add -admin admin -user
krbtgt/ATMO.KU.EDU@KU.EDU, but uss complained about user name should not
have instance string.
Then use kas -admin admin to create krbtgt/ATMO.KU.EDU@KU.EDU, but
it also complains about illegal character (my guess is the @ letter)
So what should I do to share the key?
(2) Do I need to set up a Kerberos server for my testing cell so that it
could process the krbtgt requests? Currently, the authentication for
both cells is done by kaserver.
=20
Thank you very much for your help in advance.
=20
Chen
---------------------------------------
Technology Support Tech
Department of Geography
1475 Jayhawk Blvd
410 Lindley Hall
University of Kansas
Lawrence, KS 66045
=20
=20
------_=_NextPart_001_01C78C20.D471F058
Content-Type: text/html;
charset="US-ASCII"
Content-Transfer-Encoding: quoted-printable
<html xmlns:o=3D"urn:schemas-microsoft-com:office:office" =
xmlns:w=3D"urn:schemas-microsoft-com:office:word" =
xmlns:st1=3D"urn:schemas-microsoft-com:office:smarttags" =
xmlns=3D"http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv=3DContent-Type content=3D"text/html; =
charset=3Dus-ascii">
<meta name=3DGenerator content=3D"Microsoft Word 11 (filtered medium)">
<o:SmartTagType =
namespaceuri=3D"urn:schemas-microsoft-com:office:smarttags"
name=3D"PostalCode"/>
<o:SmartTagType =
namespaceuri=3D"urn:schemas-microsoft-com:office:smarttags"
name=3D"State"/>
<o:SmartTagType =
namespaceuri=3D"urn:schemas-microsoft-com:office:smarttags"
name=3D"City"/>
<o:SmartTagType =
namespaceuri=3D"urn:schemas-microsoft-com:office:smarttags"
name=3D"PlaceName"/>
<o:SmartTagType =
namespaceuri=3D"urn:schemas-microsoft-com:office:smarttags"
name=3D"PlaceType"/>
<o:SmartTagType =
namespaceuri=3D"urn:schemas-microsoft-com:office:smarttags"
name=3D"place"/>
<o:SmartTagType =
namespaceuri=3D"urn:schemas-microsoft-com:office:smarttags"
name=3D"Street"/>
<o:SmartTagType =
namespaceuri=3D"urn:schemas-microsoft-com:office:smarttags"
name=3D"address"/>
<!--[if !mso]>
<style>
st1\:*{behavior:url(#default#ieooui) }
</style>
<![endif]-->
<style>
<!--
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman";}
a:link, span.MsoHyperlink
{color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{color:purple;
text-decoration:underline;}
span.EmailStyle17
{mso-style-type:personal-compose;
font-family:Arial;
color:windowtext;}
@page Section1
{size:8.5in 11.0in;
margin:1.0in 1.25in 1.0in 1.25in;}
div.Section1
{page:Section1;}
-->
</style>
</head>
<body lang=3DEN-US link=3Dblue vlink=3Dpurple>
<div class=3DSection1>
<p class=3DMsoNormal><font size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;
font-family:Arial'>Hi, I am quite new to afs, so sorry if this question =
is too
basic. I have almost no understanding of Kerberos either. =
The
original request was to set up a cross realm trust between a running AFS =
server
and university’s AD. But before doing that, I think it might =
be
safer to try things out on machines in my office. So I have set up =
an AFS
cell, atmo.ku.edu, on one of the Linux boxes here. And after reading =
several
articles about setting AD as KDC for AFS, I thought what I need to do =
are (1)
share a key between atmo.ku.edu (testing cell) and ku.edu (working cell) =
(2)
create a special group system:authuser@ku.edu on cell =
atmo.ku.edu.<o:p></o:p></span></font></p>
<p class=3DMsoNormal><font size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;
font-family:Arial'><o:p> </o:p></span></font></p>
<p class=3DMsoNormal><font size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;
font-family:Arial'>By issuing the command,<o:p></o:p></span></font></p>
<p class=3DMsoNormal><font size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;
font-family:Arial'>pts add system:<a =
href=3D"mailto:authuser@ku.edu">authuser@ku.edu</a>
–o system:administrators<o:p></o:p></span></font></p>
<p class=3DMsoNormal><font size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;
font-family:Arial'>I can create the group system:authuser@ku.edu on cell
atmo.ku.edu. And it can be seen by issuing the =
command<o:p></o:p></span></font></p>
<p class=3DMsoNormal><font size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;
font-family:Arial'>pts listent –g<o:p></o:p></span></font></p>
<p class=3DMsoNormal><font size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;
font-family:Arial'><o:p> </o:p></span></font></p>
<p class=3DMsoNormal><font size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;
font-family:Arial'>Then I encounter problems in how to share keys =
between the
two cells. And I have many questions:<o:p></o:p></span></font></p>
<p class=3DMsoNormal><font size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;
font-family:Arial'>(1) How to create the share =
key?<o:p></o:p></span></font></p>
<p class=3DMsoNormal><font size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;
font-family:Arial'> I have tried pts add <a
href=3D"mailto:krbtgt/ATMO.KU.EDU@KU.EDU">krbtgt/ATMO.KU.EDU@KU.EDU</a>, =
but got
an error message for missing required parameter =
–group<o:p></o:p></span></font></p>
<p class=3DMsoNormal><font size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;
font-family:Arial'> I have also tried uss add =
–admin
admin –user <a =
href=3D"mailto:krbtgt/ATMO.KU.EDU@KU.EDU">krbtgt/ATMO.KU.EDU@KU.EDU</a>,
but uss complained about user name should not have instance =
string.<o:p></o:p></span></font></p>
<p class=3DMsoNormal><font size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;
font-family:Arial'> Then use kas –admin admin to =
create
<a =
href=3D"mailto:krbtgt/ATMO.KU.EDU@KU.EDU">krbtgt/ATMO.KU.EDU@KU.EDU</a>, =
but
it also complains about illegal character (my guess is the @ =
letter)<o:p></o:p></span></font></p>
<p class=3DMsoNormal><font size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;
font-family:Arial'> So what should I do to share the =
key?<o:p></o:p></span></font></p>
<p class=3DMsoNormal><font size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;
font-family:Arial'>(2) Do I need to set up a Kerberos server for my =
testing
cell so that it could process the krbtgt requests? Currently, the =
authentication
for both cells is done by kaserver.<o:p></o:p></span></font></p>
<p class=3DMsoNormal><font size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;
font-family:Arial'><o:p> </o:p></span></font></p>
<p class=3DMsoNormal><font size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;
font-family:Arial'>Thank you very much for your help in =
advance.<o:p></o:p></span></font></p>
<p class=3DMsoNormal><font size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;
font-family:Arial'><o:p> </o:p></span></font></p>
<p class=3DMsoNormal><font size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;
font-family:Arial'>Chen</span></font><o:p></o:p></p>
<p class=3DMsoNormal><font size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;
font-family:Arial'>---------------------------------------</span></font><=
o:p></o:p></p>
<p class=3DMsoNormal><font size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;
font-family:Arial'>Technology Support Tech</span></font><o:p></o:p></p>
<p class=3DMsoNormal><font size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;
font-family:Arial'>Department of Geography</span></font><o:p></o:p></p>
<p class=3DMsoNormal><st1:Street w:st=3D"on"><st1:address =
w:st=3D"on"><font size=3D2
face=3DArial><span style=3D'font-size:10.0pt;font-family:Arial'>1475 =
Jayhawk Blvd</span></font></st1:address></st1:Street><o:p></o:p></p>
<p class=3DMsoNormal><font size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;
font-family:Arial'>410 Lindley Hall</span></font><o:p></o:p></p>
<p class=3DMsoNormal><st1:place w:st=3D"on"><st1:PlaceType =
w:st=3D"on"><font size=3D2
face=3DArial><span =
style=3D'font-size:10.0pt;font-family:Arial'>University</span></font></st=
1:PlaceType><font
size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;font-family:Arial'> of <st1:PlaceName
=
w:st=3D"on">Kansas</st1:PlaceName></span></font></st1:place><o:p></o:p></=
p>
<p class=3DMsoNormal><st1:place w:st=3D"on"><st1:City w:st=3D"on"><font =
size=3D2
face=3DArial><span =
style=3D'font-size:10.0pt;font-family:Arial'>Lawrence</span></font></st1:=
City><font
size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;font-family:Arial'>, <st1:State
w:st=3D"on">KS</st1:State> <st1:PostalCode =
w:st=3D"on">66045</st1:PostalCode></span></font></st1:place><o:p></o:p></=
p>
<p class=3DMsoNormal><font size=3D3 face=3D"Times New Roman"><span =
style=3D'font-size:
12.0pt'> </span><o:p></o:p></font></p>
<p class=3DMsoNormal><font size=3D3 face=3D"Times New Roman"><span =
style=3D'font-size:
12.0pt'><o:p> </o:p></span></font></p>
</div>
</body>
</html>
------_=_NextPart_001_01C78C20.D471F058--