[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

afslog behaviour in a cross realm configuration

To: heimdal discusion list <heimdal-discuss@sics.se>
Subject: afslog behaviour in a cross realm configuration
From: Ulrich Schwickerath <Ulrich.Schwickerath@iwr.fzk.de>
Date: Wed, 17 Aug 2005 18:43:56 +0200
Organization: Forschungszentrum Karlsruhe, HIK
Sender: owner-heimdal-discuss@sics.se
User-Agent: KMail/1.8

Hi,

I'm a bit wondering about the behaviour of afslog in a cross realm 
authentication situation. I have two ADS, say A.FZK.DE and CG.FZK.DE.
There is a one way trust between them, so that users from A.FZK.DE can log 
into CG.FZK.DE. In the latter I have a afs ID of 7597 which matches the unix 
uid.
If I'm  authenticated in A.FZK.DE and run  aklog -d  (as provided by openafs 
1.3.86)  I get:
[schwicke]$ aklog -d
Authenticating to cell cg.fzk.de (server iwrafs0.fzk.de).
We've deduced that we need to authenticate to realm CG.FZK.DE.
Getting tickets: afs/cg.fzk.de@CG.FZK.DE
Principal not found, trying alternate service name: afs/@CG.FZK.DE
Using Kerberos V5 ticket natively
About to resolve name schwicke@A.FZK.DE to id in cell cg.fzk.de.
Id 393009
Set username to AFS ID 393009
Setting tokens. AFS ID 393009 /  @ A.FZK.DE

[schwicke@iwrcgvor1:/afs/cg.fzk.de/home/schwicke]$ tokens

Tokens held by the Cache Manager:

User's (AFS ID 393009) tokens for afs@cg.fzk.de [Expires Aug 18 04:11]
   --End of list--

This AFS ID has been created previously by aklog. 
If I run heimdals afslog instead 
[schwicke@iwrcgvor1:/afs/cg.fzk.de/home/schwicke]$ afslog -v
krb5 tried afs/cg.fzk.de@A.FZK.DE -> 0

again it provides me with an afs token, but for the wrong AFS ID:
[schwicke@iwrcgvor1:/afs/cg.fzk.de/home/schwicke]$ tokens

Tokens held by the Cache Manager:

User's (AFS ID 7597) tokens for afs@cg.fzk.de [Expires Aug 18 04:11]
   --End of list--

hence, this token is "discarded" since not matching the correct key (unknown 
key version number). The same problem occurs with my pam_krb5afs module which 
uses the heimdal libs.  As a result, people already authenticated in A.FZK.DE 
are let into the machine when connecting with ssh but get an afs token which 
does not work.

Is this behaviour known ? Is this just a  missconfiguration problem or a 
problem of libkafs ?

Thank's in advance!
Ulrich
-- 
__________________________________________
Dr. Ulrich Schwickerath
Forschungszentrum Karlsruhe
GRID-Computing and e-Science
Institut for Scientific Computing (IWR)
P.O. Box 36 40
76021 Karlsruhe, Germany

Tel: +49(7247)82-8607
Fax: +49(7247)82-4972 

e-mail: ulrich.schwickerath@iwr.fzk.de
PGP DH/DSS Key: ID 0xCEB9826F
Fingerprint: 5537 8473 CD26 507E 8EE2  BAAF 98E2 FD16 CEB9 826F
__________________________________________

Prev by Date: afslog behaviour in a cross realm configuration
Next by Date: Server not found in database
Prev by thread: afslog behaviour in a cross realm configuration
Next by thread: Re: afslog behaviour in a cross realm configuration
Index(es):
- Date
- Thread