[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: afslog behaviour in a cross realm configuration

To: Love =?utf-8?q?H=C3=B6rnquist_=C3=85strand?= <lha@it.su.se>
Subject: Re: afslog behaviour in a cross realm configuration
From: Ulrich Schwickerath <Ulrich.Schwickerath@iwr.fzk.de>
Date: Wed, 24 Aug 2005 11:32:31 +0200
Cc: heimdal-discuss@sics.se
In-Reply-To: <200508241040.28848.Ulrich.Schwickerath@iwr.fzk.de>
Organization: Forschungszentrum Karlsruhe, HIK
References: <m2wtmbg34c.fsf@dhcp-wavelan-v-206.publik.su.se> <200508241040.28848.Ulrich.Schwickerath@iwr.fzk.de>
Reply-To: ulrich.schwickerath@iwr.fzk.de
Sender: owner-heimdal-discuss@sics.se
User-Agent: KMail/1.8

Hi, again,

I just realized that I still had a unlog;aklog in my login sequence (which I 
put there before as a workaround to get rid of the wrong token that 
afslog/kafs gives me). So, I'm afraid the change from "no" to "2b"  does in 
fact not do the job. 

I think the whole point is that  aklog gives me a token as 
$ tokens

Tokens held by the Cache Manager:

User's (AFS ID 393009) tokens for afs@cg.fzk.de [Expires Aug 24 21:14]
   --End of list--
and that one works while when I do an heimdal afslog I get  a token for AFS ID 
7597 which is the one I would have expected for A.FZK.DE.

User's (AFS ID 7597) tokens for afs@cg.fzk.de [Expires Aug 24 21:14]
   --End of list--

Maybe I should say that I'm not running a 524 service at all. Any idea ?

Thank's,
Ulrich
 
On Wednesday 24 August 2005 10:40, Ulrich Schwickerath wrote:
> Hello, Love,
>
> Indeed, I had afs-use-524=no which was working fine with my ADS as long as
> I did not do cross realm authentication. Changing it explicitly  to 2b does
> the job.
>
> Thank's a lot!
> Ulrich
>
> P.S.: I'm a bit puzzled on what may have happened to the email. Hope this
> one will go through :-)
>
> On Wednesday 24 August 2005 10:17, Love Hörnquist Åstrand wrote:
> > Hello
> >
> > Somehow this mail never reached me, I found it in the mailing list
> > archive.
> >
> > > I'm a bit wondering about the behaviour of afslog in a cross realm
> > > authentication situation. I have two ADS, say A.FZK.DE and CG.FZK.DE.
> > > There is a one way trust between them, so that users from A.FZK.DE can
> > > log into CG.FZK.DE. In the latter I have a afs ID of 7597 which matches
> > > the unix uid.
> >
> > ...
> >
> > > hence, this token is "discarded" since not matching the correct key
> > > (unknown key version number). The same problem occurs with my
> > > pam_krb5afs module which uses the heimdal libs.  As a result, people
> > > already authenticated in A.FZK.DE are let into the machine when
> > > connecting with ssh but get an afs token which does not work.
> > >
> > > Is this behaviour known ? Is this just a  missconfiguration problem or
> > > a problem of libkafs ?
> > > Thank's in advance!
> >
> > Libkafs defaults to use 524, and if the 524 service on the cross-realm
> > KDC doesn't issue AFS 2b tokens, you'll get this failure.
> >
> > If you turn on local 2b conversion, see manpage for kafs, the problem
> > should go away.
> >
> > I've been thinking about defaulting to local 2b conversion for cross
> > realm case, but never got around to writing the code.
> >
> > Love

-- 
__________________________________________
Dr. Ulrich Schwickerath
Forschungszentrum Karlsruhe
GRID-Computing and e-Science
Institut for Scientific Computing (IWR)
P.O. Box 36 40
76021 Karlsruhe, Germany

Tel: +49(7247)82-8607
Fax: +49(7247)82-4972 

e-mail: ulrich.schwickerath@iwr.fzk.de
PGP DH/DSS Key: ID 0xCEB9826F
Fingerprint: 5537 8473 CD26 507E 8EE2  BAAF 98E2 FD16 CEB9 826F
__________________________________________

References:
- Re: afslog behaviour in a cross realm configuration
  - From: Ulrich Schwickerath <Ulrich.Schwickerath@iwr.fzk.de>

Prev by Date: Assertion in iprop-master.
Next by Date: Re: Assertion in iprop-master.
Prev by thread: Re: afslog behaviour in a cross realm configuration
Next by thread: Re: afslog behaviour in a cross realm configuration
Index(es):
- Date
- Thread