Is that literally all you did as setup? If so, you would indeed be able to get tokens, but the servers would not recognize their keys and would reject the tokens.
It sounds like the correct extra steps for your case are to make the following changes on the AFS database servers: (1) create a file /etc/openafs/server/krb.conf containing a single line, with the two Kerberos realms on it separated by spaces (that is, "X.COM X.BIZ") (2) extract the afs cell principal in the X.BIZ domain to a keytab, and then add that to /etc/openafs/server/rxkad.keytab. # ktutil ktutil: rkt /etc/openafs/server/rxkad.keytab ktutil: rkt /path/to/new/keytab ktutil: wkt /etc/openafs/server/rxkad.keytab Note that the new principal must have a different kvno from the old, and that extracting it from the KDC will generate a new key and increment its kvno. (If for some reason you are using openafs configured in legacy mode, that may be /usr/afs/etc/krb.conf and/or /usr/afs/etc/KeyFile. If you are using KeyFile, you will need to use the asetkey utility to manipulate it, not ktutil.) On January 15, 2018 6:49:37 AM EST, Tim Piessens <[email protected]> wrote: >Hi all, > >can somebody shed some light on this issue ? >We are trying to switch between kerberos realms ( and servers ). >original : X.COM <http://xxx.com/> >new : X.BIZ > >cell : x.com <http://x.com/> > >I have created a new kerberos service principal afs/[email protected] ><mailto:afs/[email protected]> in the new kerberos server. >I have added the realm to the krb5.conf file. > >On the client, I can kinit / aklog for both the [email protected] ><mailto:[email protected]> and [email protected] <mailto:[email protected]> >Both give me a token for afs-UID 1000. > >But when I try to access a folder with the X.COM <http://x.com/> token, >it works, with the X.BIZ token, I get a permission denied. > >What could be the root cause ? >How can I debug this ? > > >Thanks, > >Tim -- Sent from my Android device with K-9 Mail. Please excuse my brevity.
