[OpenAFS] single OpenAFS cell and multiple/different kerberos realms

Volkmar Glauche volkmar.glauche@uniklinik-freiburg.de
Tue, 27 Jan 2015 15:44:59 +0100

Dear all,

I've got a working setup for single cell/single realm OpenAFS and =20
kerberos for cell a.com/realm A.COM.

klist -e -f

Ticket cache: FILE:/tmp/krb5cc_606_c9Pb3J
Default principal: vglauche@A.COM

Valid starting       Expires              Service principal
27.01.2015 14:15:17  28.01.2015 14:15:17  krbtgt/A.COM@A.COM
=09renew until 10.02.2015 14:15:17, Flags: FRIA
=09Etype (skey, tkt): aes256-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96
27.01.2015 14:15:17  28.01.2015 14:15:17  afs/a.com@A.COM
=09renew until 10.02.2015 14:15:17, Flags: FRAT
=09Etype (skey, tkt): aes256-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96

Tokens held by the Cache Manager:

User's (AFS ID 606) tokens for afs@a.com [Expires Jan 28 14:15]
    --End of list--

Now, I would like to be able to use tickets from kerberos realm B.COM =20
to get OpenAFS tokens in cell a.com. I can neither add any principals =20
to realm B.COM nor implement a full cross-realm trust relationship.
I have done the following so far:
1. created an /etc/openafs/server/krb.conf file on the database server =20
machines, listing A.COM and B.COM on the first line of the file
2. added a user matching my principal "glauche" in B.COM to pts

My krbtgt from B.COM looks very similar to the one from A.COM:

klist -e -f

Ticket cache: FILE:/tmp/krb5cc_0
Default principal: glauche@B.COM

Valid starting       Expires              Service principal
27.01.2015 14:08:41  28.01.2015 00:08:41  krbtgt/B.COM@B.COM
         renew until 03.02.2015 14:08:41, Flags: FRIA
         Etype (skey, tkt): aes256-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96

However, aklog -d gives:
aklog: Couldn't get a.com AFS tickets:
aklog: unknown RPC error (-1765328377) while getting AFS tickets
Authenticating to cell a.com (server fbiafs3.a.com).
Trying to authenticate to user's realm B.COM.
Getting tickets: afs/a.com@B.COM
We've deduced that we need to authenticate to realm A.COM.
Getting tickets: afs/a.com@A.COM
Getting tickets: afs/a.com@A.COM
Getting tickets: afs@A.COM
Kerberos error code returned by get_cred : -1765328377

and I don't get a token. Am I missing something here, or is this =20
simply not allowed?


Freiburg Brain Imaging
Tel. +761 270-54783
Fax. +761 270-54819