[Fwd: Re: [OpenAFS] host principal and keytab]
Andrew Bacchi
bacchi@rpi.edu
Mon, 07 Jan 2008 13:07:13 -0500
forgot to reply-all
The PTS entry is the part I missed so far. To clarify, the K4 principal
should look like rcmd.server@REALM, not rcmd.server.rpi.edu@REALM?
Jeffrey Altman wrote:
> Andrew Bacchi wrote:
>> I need to allow hosts to read/write files into AFS directories. I
>> currently have a host principal as host/server.rpi.edu, and I
>> extracted a keytab file for it as /etc/krb5.keytab.
>>
>> This is not working, so I must be missing something. How do I get AFS
>> tokens using krb5.keytab? There is some AFS form to the principal in
>> kerberos 5 that I haven't mapped correctly.
>
> Several things:
>
> (1) you must create a PTS entry that matches the service principal.
> (see note below)
>
> (2) you must obtain a Kerberos TGT using the keytab
>
> (3) you must set a token using that TGT with aklog
>
> Note that AFS does not currently have a notion of an identity for the
> cache manager and given the fact that the principal names must be
> converted to krb4 format the PTS entry for host/server.rpi.edu@REALM
> will become rcmd.server@REALM when performing lookups in the PTS database.
>
> There is nothing that will distinguish this AFS ID as a machine ID. When
> it is being used, the process will be a member of system:authuser.
>
>
--
veritatis simplex oratio est
-Seneca
Andrew Bacchi
Systems Programmer
Information Technologies Infrastructure
Rensselaer Polytechnic Institute
phone: 518.276.6415 fax: 518.276.2809
http://www.rpi.edu/~bacchi/
--
veritatis simplex oratio est
-Seneca
Andrew Bacchi
Systems Programmer
Information Technologies Infrastructure
Rensselaer Polytechnic Institute
phone: 518.276.6415 fax: 518.276.2809
http://www.rpi.edu/~bacchi/