[OpenAFS] Re: OpenAFS and AD trusts
Danko Antolovic
dantolov@indiana.edu
Tue, 19 Jul 2011 15:56:17 -0400
If I tell aklog to go after RESOURCE.NET explicitly, I end up with the
same error that started this thread:
[root@afs1c afs]# aklog -d -c afs1.bedrock.iu.edu -k RESOURCE.NET
Authenticating to cell afs1.bedrock.iu.edu (server afs1.bedrock.iu.edu).
We were told to authenticate to realm RESOURCE.NET.
Getting tickets: afs/afs1.bedrock.iu.edu@RESOURCE.NET
Getting tickets: afs/afs1.bedrock.iu.edu@RESOURCE.NET
Kerberos error code returned by get_cred : -1765328228
aklog: Couldn't get afs1.bedrock.iu.edu AFS tickets:
aklog: unknown RPC error (-1765328228) while getting AFS tickets
This looks like AFS is trying to get the ticket from RESOURCE.NET, and
fails with
"-1765328228 KRB5_KDC_UNREACH Cannot contact any KDC for requested realm"
Now, RESOURCE.NET does not authenticate users, but it knows about the
service afs/afs1.bedrock.iu.edu, and the asetkey is derived from a
keytab for RESOURCE.NET.
Danko
Andrew Deason wrote:
> On Tue, 19 Jul 2011 14:56:01 -0400
> "Danko Antolovic" <dantolov@indiana.edu> wrote:
>
>
>> You are correct, there is no dantolov@RESOURCE.NET; there is
>> dantolov@IU.EDU, and there is also a local user dantolov with AFS ID
>> 2. I did not see dantolov@iu.edu as a member of
>> system:authuser@iu.edu at any time. Are you saying that the presence
>> of the local user is the problem?
>>
>
> No, but it's probably making this more confusing.
>
>
>> [root@afs1c afs]# aklog -d -c afs1.bedrock.iu.edu
>> Authenticating to cell afs1.bedrock.iu.edu (server afs1.bedrock.iu.edu).
>> Trying to authenticate to user's realm IU.EDU.
>> Getting tickets: afs/afs1.bedrock.iu.edu@IU.EDU
>>
>
> I thought your afs service principal was
> afs/afs1.bedrock.iu.edu@RESOURCE.NET ? This is making aklog think you
> are not a foreign user, and so it's not trying the automatic
> registration thing.
>
>