[OpenAFS] single OpenAFS cell and multiple/different kerberos realms

Tue, 27 Jan 2015 06:46:57 -0800 

Dear all,
I've got a working setup for single cell/single realm OpenAFS and kerberos for cell a.com/realm A.COM. 

klist -e -f

Ticket cache: FILE:/tmp/krb5cc_606_c9Pb3J
Default principal: [email protected]

Valid starting       Expires              Service principal
27.01.2015 14:15:17  28.01.2015 14:15:17  krbtgt/[email protected]
        renew until 10.02.2015 14:15:17, Flags: FRIA
        Etype (skey, tkt): aes256-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96
27.01.2015 14:15:17  28.01.2015 14:15:17  afs/[email protected]
        renew until 10.02.2015 14:15:17, Flags: FRAT
        Etype (skey, tkt): aes256-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96

tokens
Tokens held by the Cache Manager:

User's (AFS ID 606) tokens for [email protected] [Expires Jan 28 14:15]
   --End of list--


Now, I would like to be able to use tickets from kerberos realm B.COM  
to get OpenAFS tokens in cell a.com. I can neither add any principals  
to realm B.COM nor implement a full cross-realm trust relationship.

I have done the following so far:

1. created an /etc/openafs/server/krb.conf file on the database server  
machines, listing A.COM and B.COM on the first line of the file

2. added a user matching my principal "glauche" in B.COM to pts

My krbtgt from B.COM looks very similar to the one from A.COM:

klist -e -f

Ticket cache: FILE:/tmp/krb5cc_0
Default principal: [email protected]

Valid starting       Expires              Service principal
27.01.2015 14:08:41  28.01.2015 00:08:41  krbtgt/[email protected]
        renew until 03.02.2015 14:08:41, Flags: FRIA
        Etype (skey, tkt): aes256-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96

However, aklog -d gives:
aklog: Couldn't get a.com AFS tickets:
aklog: unknown RPC error (-1765328377) while getting AFS tickets
Authenticating to cell a.com (server fbiafs3.a.com).
Trying to authenticate to user's realm B.COM.
Getting tickets: afs/[email protected]
We've deduced that we need to authenticate to realm A.COM.
Getting tickets: afs/[email protected]
Getting tickets: afs/[email protected]
Getting tickets: [email protected]
Kerberos error code returned by get_cred : -1765328377


and I don't get a token. Am I missing something here, or is this  
simply not allowed?


Volkmar


--
Freiburg Brain Imaging
http://fbi.uniklinik-freiburg.de/
Tel. +761 270-54783
Fax. +761 270-54819


_______________________________________________
OpenAFS-info mailing list
[email protected]
https://lists.openafs.org/mailman/listinfo/openafs-info






















					Reply via email to