On 2/15/2020 7:55 AM, Måns Nilsson wrote: > Subject: Re: [OpenAFS] Borderline offtopic: OpenAFS as ~ for Samba AD? Date: > Mon, Jan 20, 2020 at 04:42:24PM -0500 Quoting Jeffrey E Altman > ([email protected]): >> No need for cross-realm. Create an afs/[email protected] service principal >> with a kvno >> that differs from the afs/[email protected] service principal and add the >> key to your >> AFS servers as well as adding both realm names to the AFS servers' krb.conf. > > Thanks! > > I've finally mustered enough bravery to tackle this. Would proper DNS > find-a-bility for Kerberos serve as complete substitute for "as adding > both realm names to the AFS servers' krb.conf" ?
NO! The list of realms in the krb.conf are used to specify which realms will be chopped off the authenticated principal name so there will be a match with protection service user or group entries. Kerberos DNS SRV records are used by clients to find the Kerberos KDCs for the realm. The AFS servers never contact the KDCs themselves. > I've added the afs/[email protected] principals, with identical keytypes > and different kvno to the rxkad.keytab on all my servers, restarted > processes on them. > > After having fixed the krb5.conf for Heimdal on the Windows clients to > point to the right domain, I can login without delay. > > I've mapped my home directory in AFS to H:\ and that's where I end up > when logging in, and I have a token issued for [email protected] in my > cell. But it is not giving me any rights. > > I suspect I must map my SAMBA4.REALM user to rights management in my cell, > some way. Or is there some magic I'm missing? The is what the AFS krb.conf is for. All of the local authentication realms must be listed there and the servers restarted for the change to take effect. > I've tried adding [email protected] to various pts entities like groups > and the list of users, but no such luck; I'get error messages > (no such user for group or acl membership, "badly formed name" for > user creation). I'm on way too old software versions in my cell, of > course. Would upgrading help? You only would create a system:[email protected] group and then create <user>@samb4.realm entries if you were treating the two sets of identifies as unique. Jeffrey Altman
<<attachment: jaltman.vcf>>
smime.p7s
Description: S/MIME Cryptographic Signature
