Thanks all, I was not aware of the krb.conf and kvno limitation. Now it works Dr. Ir. Tim Piessens CTO and Founder
Gaston Geenslaan 14, 3001 Leuven, Belgium Tel. +32 16 589 705 | Fax. +32 16 589 720 www.icsense.com <http://www.icsense.com/?utm_source=mailsignature&utm_medium=email&utm_campaign=email> | [email protected] <mailto:[email protected]> "The information contained in this e-mail may be confidential." <http://www.icsense.com/> > On 15 Jan 2018, at 13:08, brandon s allbery kf8nh <[email protected]> > wrote: > > Is that literally all you did as setup? If so, you would indeed be able to > get tokens, but the servers would not recognize their keys and would reject > the tokens. > > It sounds like the correct extra steps for your case are to make the > following changes on the AFS database servers: > > (1) create a file /etc/openafs/server/krb.conf containing a single line, with > the two Kerberos realms on it separated by spaces (that is, "X.COM X.BIZ") > > (2) extract the afs cell principal in the X.BIZ domain to a keytab, and then > add that to /etc/openafs/server/rxkad.keytab. > > # ktutil > ktutil: rkt /etc/openafs/server/rxkad.keytab > ktutil: rkt /path/to/new/keytab > ktutil: wkt /etc/openafs/server/rxkad.keytab > > Note that the new principal must have a different kvno from the old, and that > extracting it from the KDC will generate a new key and increment its kvno. > > (If for some reason you are using openafs configured in legacy mode, that may > be /usr/afs/etc/krb.conf and/or /usr/afs/etc/KeyFile. If you are using > KeyFile, you will need to use the asetkey utility to manipulate it, not > ktutil.) > > On January 15, 2018 6:49:37 AM EST, Tim Piessens <[email protected]> wrote: > Hi all, > > can somebody shed some light on this issue ? > We are trying to switch between kerberos realms ( and servers ). > original : X.COM <http://xxx.com/> > new : X.BIZ > > cell : x.com <http://x.com/> > > I have created a new kerberos service principal afs/[email protected] > <mailto:afs/[email protected]> in the new kerberos server. > I have added the realm to the krb5.conf file. > > On the client, I can kinit / aklog for both the [email protected] > <mailto:[email protected]> and [email protected] <mailto:[email protected]> > Both give me a token for afs-UID 1000. > > But when I try to access a folder with the X.COM <http://x.com/> token, it > works, with the X.BIZ token, I get a permission denied. > > What could be the root cause ? > How can I debug this ? > > > Thanks, > > Tim > > > -- > Sent from my Android device with K-9 Mail. Please excuse my brevity.
