[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: afslog behaviour in a cross realm configuration
I just realized that I still had a unlog;aklog in my login sequence (which I
put there before as a workaround to get rid of the wrong token that
afslog/kafs gives me). So, I'm afraid the change from "no" to "2b" does in
fact not do the job.
I think the whole point is that aklog gives me a token as
Tokens held by the Cache Manager:
User's (AFS ID 393009) tokens for email@example.com [Expires Aug 24 21:14]
--End of list--
and that one works while when I do an heimdal afslog I get a token for AFS ID
7597 which is the one I would have expected for A.FZK.DE.
User's (AFS ID 7597) tokens for firstname.lastname@example.org [Expires Aug 24 21:14]
--End of list--
Maybe I should say that I'm not running a 524 service at all. Any idea ?
On Wednesday 24 August 2005 10:40, Ulrich Schwickerath wrote:
> Hello, Love,
> Indeed, I had afs-use-524=no which was working fine with my ADS as long as
> I did not do cross realm authentication. Changing it explicitly to 2b does
> the job.
> Thank's a lot!
> P.S.: I'm a bit puzzled on what may have happened to the email. Hope this
> one will go through :-)
> On Wednesday 24 August 2005 10:17, Love Hörnquist Åstrand wrote:
> > Hello
> > Somehow this mail never reached me, I found it in the mailing list
> > archive.
> > > I'm a bit wondering about the behaviour of afslog in a cross realm
> > > authentication situation. I have two ADS, say A.FZK.DE and CG.FZK.DE.
> > > There is a one way trust between them, so that users from A.FZK.DE can
> > > log into CG.FZK.DE. In the latter I have a afs ID of 7597 which matches
> > > the unix uid.
> > ...
> > > hence, this token is "discarded" since not matching the correct key
> > > (unknown key version number). The same problem occurs with my
> > > pam_krb5afs module which uses the heimdal libs. As a result, people
> > > already authenticated in A.FZK.DE are let into the machine when
> > > connecting with ssh but get an afs token which does not work.
> > >
> > > Is this behaviour known ? Is this just a missconfiguration problem or
> > > a problem of libkafs ?
> > > Thank's in advance!
> > Libkafs defaults to use 524, and if the 524 service on the cross-realm
> > KDC doesn't issue AFS 2b tokens, you'll get this failure.
> > If you turn on local 2b conversion, see manpage for kafs, the problem
> > should go away.
> > I've been thinking about defaulting to local 2b conversion for cross
> > realm case, but never got around to writing the code.
> > Love
Dr. Ulrich Schwickerath
GRID-Computing and e-Science
Institut for Scientific Computing (IWR)
P.O. Box 36 40
76021 Karlsruhe, Germany
PGP DH/DSS Key: ID 0xCEB9826F
Fingerprint: 5537 8473 CD26 507E 8EE2 BAAF 98E2 FD16 CEB9 826F