[OpenAFS] how to set up cross cell trust

Christopher D. Clausen cclausen@acm.org
Tue, 1 May 2007 16:02:00 -0500

Chen, Wen-shiang <chenws47@ku.edu> wrote:
> Hi, I am quite new to afs, so sorry if this question is too basic.  I
> have almost no understanding of Kerberos either.  The original request
> was to set up a cross realm trust between a running AFS server and
> university's AD.  But before doing that, I think it might be safer to
> try things out on machines in my office.  So I have set up an AFS
> cell, atmo.ku.edu, on one of the Linux boxes here. And after reading
> several articles about setting AD as KDC for AFS, I thought what I
> need to do are (1) share a key between atmo.ku.edu (testing cell) and
> ku.edu (working cell) (2) create a special group
> system:authuser@ku.edu on cell atmo.ku.edu.
> By issuing the command,
> pts add system:authuser@ku.edu -o system:administrators
> I can create the group system:authuser@ku.edu on cell atmo.ku.edu.
> And it can be seen by issuing the command
> pts listent -g
> Then I encounter problems in how to share keys between the two cells.
> And I have many questions:
> (1)  How to create the share key?
>      I have tried pts add krbtgt/ATMO.KU.EDU@KU.EDU, but got an error
> message for missing required parameter -group
>      I have also tried uss add -admin admin -user
> krbtgt/ATMO.KU.EDU@KU.EDU, but uss complained about user name should
> not have instance string.
>     Then use kas -admin admin to create krbtgt/ATMO.KU.EDU@KU.EDU, but
> it also complains about illegal character (my guess is the @ letter)
>   So what should I do to share the key?

First of all, you should NOT be using kaserver and kas if you are 
setting up a new cell, but there might be issues involved with your 
current cell, depending upon lots of factors.  Are you aware of all of 
the changes required to move from kaserver to pure Kerberos 5?

What AFS / OpenAFS version are the servers in ku.edu running right now? 
A certain version is required to have Kerberos 5 support, which would be 
needed to use Active Directory as the KDC.

> (2) Do I need to set up a Kerberos server for my testing cell so that
> it could process the krbtgt requests?  Currently, the authentication
> for both cells is done by kaserver.

What are you trying to do?  Just join your current cell to an existing 
KDC (in AD)?  Or do you want to be able to support user principals from 
multiple different KDCs?  Treating the two KDC principals namespaces 
equally?  Or treating one realm as "local" and one realm as "foreign" ?

I don't think a cross-realm trust will help you, as that would by 
default setup all AD users as "foreign" and you would need to re-add all 
of them to the ACLs in your volumes.  You would likely be better off 
just adding an afs service principal to your AD and to the KeyFiles on 
your AFS servers and treat both kaserver and the AD realms as equal for 
now (assuming the users are named the same in both places.)

You can join #openafs on the Freenode IRC network and one (or more) of 
the kind people on their can guide you through either process.