Subject: Re: [OpenAFS] Borderline offtopic: OpenAFS as ~ for Samba AD? Date: Mon, Jan 20, 2020 at 04:42:24PM -0500 Quoting Jeffrey E Altman ([email protected]): > No need for cross-realm. Create an afs/[email protected] service principal > with a kvno > that differs from the afs/[email protected] service principal and add the > key to your > AFS servers as well as adding both realm names to the AFS servers' krb.conf.
Thanks! I've finally mustered enough bravery to tackle this. Would proper DNS find-a-bility for Kerberos serve as complete substitute for "as adding both realm names to the AFS servers' krb.conf" ? I've added the afs/[email protected] principals, with identical keytypes and different kvno to the rxkad.keytab on all my servers, restarted processes on them. After having fixed the krb5.conf for Heimdal on the Windows clients to point to the right domain, I can login without delay. I've mapped my home directory in AFS to H:\ and that's where I end up when logging in, and I have a token issued for [email protected] in my cell. But it is not giving me any rights. I suspect I must map my SAMBA4.REALM user to rights management in my cell, some way. Or is there some magic I'm missing? I've tried adding [email protected] to various pts entities like groups and the list of users, but no such luck; I'get error messages (no such user for group or acl membership, "badly formed name" for user creation). I'm on way too old software versions in my cell, of course. Would upgrading help? Most gratefully, -- Måns Nilsson primary/secondary/besserwisser/machina MN-1334-RIPE SA0XLR +46 705 989668 I appoint you ambassador to Fantasy Island!!! _______________________________________________ OpenAFS-info mailing list [email protected] https://lists.openafs.org/mailman/listinfo/openafs-info
