I am trying to get OpenAFS to work with an AD/Kerberos domain-trust arrangement.
My AFS server, afs1.bedrock.iu.edu, is a service principal in an AD domain that is meant to be a resource domain only (no individual users have creds there): RESOURCE.NET My user creds are in an AD domain that serves as the regular user database: IU.EDU There is a one-way external trust between the two AD domains: RESOURCE.NET trusts IU.EDU The Open AFS configuration knows only about RESOURCE.NET, which is the default (and only) Kerb domain in /etc/krb5.conf, and is also the domain listed in /usr/afs/etc/krb.conf. I set up the AFS key with the asetkey command, using the keytab to the RESOURCE.NET: asetkey add 3 afs_keytab_file.keytab afs/[email protected] I get the TGT using kinit [email protected], i.e. with my regular user creds. Problems start with aklog. If I do aklog -c afs1.bedrock.iu.edu I get what looks like a valid service ticket and a token from the user's domain, in this case IU.EDU. This token, however, does not allow me to touch the files in the AFS cell: file-changing operations fail with "Permission denied." If I do aklog -c afs1.bedrock.iu.edu -k RESOURCE.NET it fails with this error code: Kerberos error code returned by get_cred : -1765328228 aklog: Couldn't get afs1.bedrock.iu.edu AFS tickets: aklog: unknown RPC error (-1765328228) while getting AFS tickets which is "-1765328228 KRB5_KDC_UNREACH Cannot contact any KDC for requested realm" klist turns up what looks like a trust-related ticket: krbtgt/[email protected] Finally, this AFS installation works perfectly against a simple (non-trust) AD domain. At this point I am not sure whether this is an OpenAFS issue or an AD trust issue. Has anyone been down this path before? Thank you, Danko Antolovic Principal Scientist, Research Technologies, Indiana University
