First, Please CC openafs-info; others may be able to help. That being said.... Note that you need both principals:
[EMAIL PROTECTED] [EMAIL PROTECTED] in BOTH realms in order to get cross-realm to work properly! Or, at least, you need to have the correct set of keys, and honestly I can never remember which set you need in order to jump from realm A to realm B. Also note that the keys and KVNOs need to match. If these do not match, then yes, that could be the cause of your problem. After you aklog, what happens if you 'klist'? -derek "Fabian Aichele" <[EMAIL PROTECTED]> writes: > Hello! > > Sorry for the delay. > Which kind of shared key? Host key? > Keys for the krbtgt principals? I accidentally stumbled over this in the > Kerberos FAQ at > http://www.faqs.org/faqs/kerberos-faq/general/section-48.html. > When I first established the inter-real m trust between my Linux and my > Windows realm, I created the principals > [EMAIL PROTECTED] (in the Linux > realm) > [EMAIL PROTECTED] (in the > Windows realm), > but I did not exchange these principal's keys in the way the FAQ describes. > Is it that what causes the "permission denied so unable to create remote PTS > user" error? > > > >Do you have a shared key between the two kerberos realms? > > >-derek > > >>"Fabian Aichele" <[EMAIL PROTECTED]> writes: > > >> Hello! > >> > >> All right, I created the the system:[EMAIL PROTECTED] > group, > >> and I also added my MIT Kerberos host as KDC to my Windows realm > definition > >> in krb5.conf. These two steps did the trick, I get AFS tokens with my > >> foreign user account! > >> There is still a little "flaw". aklog sets my tokens correctly, but the > user > >> id it uses is still 32766 (anyuser, shouldn't that be different?), and > >> > >> <snip from "aklog -d"> > >> doing fist-time registration of <user>@hilarenhaus.hilaritas.de at > >> linux.hilarenhaus.hilaritas.de > >> aklog: permission denied so unable to create remote PTS user > >> <user>@hilarenhaus.hilaritas.de in cell linux.hilarenhaus.hilaritas.de > >> (status: 267269). > >> </snip> > >> > >> So this probably means that something is missing some administrative > >> privileges, but: Who/what exactly needs which privileges? > >> > >> After all those issues, it is probably time to write a verbose HOWTO on > the > >> topic AFS/Kerberos/Active Directory... > >> > >> Thank you for your tips, > >> Fabian Aichele > > > -- Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory Member, MIT Student Information Processing Board (SIPB) URL: http://web.mit.edu/warlord/ PP-ASEL-IA N1NWH [EMAIL PROTECTED] PGP key available _______________________________________________ OpenAFS-info mailing list [EMAIL PROTECTED] https://lists.openafs.org/mailman/listinfo/openafs-info
