Re: [OpenAFS] Token creation with MIT leash if REALM!=Cellname?

Tue, 30 Aug 2005 05:36:35 -0700 

Lars:

Your clients cannot read the contents of the krb.conf file
on your AFS server.   The clients must determine the Kerberos
REALM name based upon the DNS name of the VLDB servers.   If
your VLDB servers have a DNS name that is "cgv.tugraz.at" then
they will think the realm they belong to is "CGV.TUGRAZ.AT"
unless you setup per machine "domain_realm" mappings in the
client's krb5.conf/krb5.ini files.

Now you asked for advice on how to setup your realms.

Create a new DNS subdomain:  windows.cgv.turgraz.at

Install AD as: WINDOWS.CGV.TURGRAZ.AT

Configure your existing DNS servers to forward requests for
"windows.cgv.turgraz.at" to AD

Install your MIT realm as "CGV.TURGRAZ.AT"

Install your AFS cell as "cgv.turgraz.at"

Create a cross realm trust between "CGV.TURGRAZ.AT" and
"WINDOWS.CGV.TURGRAZ.AT"

Setup your user accounts so they have a User Principal Name assignment
of <user>@CGV.TURGRAZ.AT.

Configure your domain workstations with KSETUP to know about
CGV.TURGRAZ.AT.

Have your users login as "<user>@CGV.TURGRAZ.AT"

Jeffrey Altman


Lars Schimmer wrote:

> Jeffrey Altman wrote:
> 
>>>What does "aklog -d" report?
> 
> 
> It tells me:
> aklog -d
> Authenticating to cell cgv.tugraz.at (server phobos.cgv.tugraz.at).
> We've deduced that we need to authenticate to realm CGV.TUGRAZ.AT.
> Getting tickets: afs/[EMAIL PROTECTED]
> Kerberos error code returned by get_cred: -1765328377
> 
> *strange*
> 
> 
>>>also, did you configure your Cell to accept the new REALM as the home
>>>cell via the AFS krb.conf file?
> 
> 
> Not as I assume and aklog tells me.
> OK, after some google I found I need to setup a krb.conf file with the
> name of the REAL REALM in it.
> Done that, but I use Debian. So I setup a file krb.conf in /etc/openafs
> and in /etc/openafs/server.
> Rebooted, and aklog -d tells the same as above...
> strange.
> 
> 
>>>Jeffrey Altman
> 
> 
> Cya & Thx
> Lars
> --
> -------------------------------------------------------------
> TU Graz, Institut für ComputerGraphik & WissensVisualisierung
> Tel.: +43 316 873-5405       E-Mail: [EMAIL PROTECTED]
> PGP-Key-ID: 0xB87A0E03

begin:vcard
fn:Jeffrey Altman
n:Altman;Jeffrey
org:Secure Endpoints Inc.
adr:;;255 W 94TH ST PHB;NEW YORK;NY;10025;United States
email;internet:[EMAIL PROTECTED]
title:President
tel;work:+1 212 769-9018
x-mozilla-html:TRUE
url:http://www.secure-endpoints.com
version:2.1
end:vcard

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

Reply via email to