DUDE... Stop sending unsub messages to the list. WE CANT HELP YOU! -derek
"Rogelio Bazan Reyes" <[EMAIL PROTECTED]> writes: > >From: "Douglas E. Engert" <[EMAIL PROTECTED]> > >To: Chris McClimans <[EMAIL PROTECTED]> > >CC: [EMAIL PROTECTED] > >Subject: Re: [OpenAFS] gssklogd access from windows > >Date: Fri, 05 Sep 2003 09:12:56 -0500 > > > > > > > >Chris McClimans wrote: > > > > > > I'm trying to get the keytabs generated, but apparently there are some > > > technical hurdles when you only administer an ou within the AD and > > > aren't a root admin. Something about kerberos principal keytab > > > generation fails. Hopefully I can get the root AD admins to generate my > > > gssklog/[EMAIL PROTECTED] tomorrow. > > > If anyone cares, I can post the details of my attempts to generate > > > keytabs as a lowly OU admin in MS AD. > > > > > > When gssklog connects to gssklogd (and tries to get > > > [EMAIL PROTECTED]) the only way to contact the kdc for the > > > CS.TTU.EDU realm is to have it configured in DNS or the krb5.conf > > > equivalent. The equivalent doesn't seem to exist anywhere within the > > > microsoft implementation as far as I can tell. > > > The entry actually exists in the AD as a cross-realm trust, but I > > > wonder if the gssapi implementation uses it as a referral if you passed > > > the realm in via SSPI? > > > >Yes it should. To test this, in gssklog.c after the line: > > > > strcat(service_princ_name,server); > >add > > strcat(service_princ_name,"@CS.TTU.EDU"); > > > >then after the line: > > > > strcat(service_princ_name,cellconfig.hostName[i]); > >add > > strcat(service_princ_name,"@CS.TTU.EDU"); > > > > This is only a test (the siz of the string service_princ_name should > > also be increased) > >and will only work for the SSPI. > >I will also look at a substitute way to specify the realm of the cell. > > > > > > > > > > > > -chris > > > > > > On Thursday, September 4, 2003, at 02:27 PM, Douglas E. Engert wrote: > > > > > > > > There are two ways to solve this. > > > > > > > > o The SSPI can actually allow the client to specify the realm, > > > > using some mapping of its own. [EMAIL PROTECTED] would be passed in > > > > I don't have this in the gssklog, but could add one, for example > > > > if the initial attempt failed, try the domain name as the realm, or > > > > use DNS etc. > > > > > > > > o Add a gssklog/[EMAIL PROTECTED] to the client's KDC. > > > > and have the gssklogd accept either. (This is what we do, > > > > but it takes a mod to the server's gssapi lib to aceppt either. > > > > > > > > I will look into the mapping. > > > > > > > > > > _______________________________________________ > > > OpenAFS-info mailing list > > > [EMAIL PROTECTED] > > > https://lists.openafs.org/mailman/listinfo/openafs-info > > > >-- > > > > Douglas E. Engert <[EMAIL PROTECTED]> > > Argonne National Laboratory > > 9700 South Cass Avenue > > Argonne, Illinois 60439 > > (630) 252-5444 > > > >_______________________________________________ > >OpenAFS-info mailing list > >[EMAIL PROTECTED] > >https://lists.openafs.org/mailman/listinfo/openafs-info > > _________________________________________________________________ > The new MSN 8: advanced junk mail protection and 2 months FREE* > http://join.msn.com/?page=features/junkmail > > _______________________________________________ > OpenAFS-info mailing list > [EMAIL PROTECTED] > https://lists.openafs.org/mailman/listinfo/openafs-info -- Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory Member, MIT Student Information Processing Board (SIPB) URL: http://web.mit.edu/warlord/ PP-ASEL-IA N1NWH [EMAIL PROTECTED] PGP key available _______________________________________________ OpenAFS-info mailing list [EMAIL PROTECTED] https://lists.openafs.org/mailman/listinfo/openafs-info
