[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: afslog behaviour in a cross realm configuration

To: Love =?utf-8?q?H=C3=B6rnquist_=C3=85strand?= <lha@it.su.se>
Subject: Re: afslog behaviour in a cross realm configuration
From: Ulrich Schwickerath <Ulrich.Schwickerath@iwr.fzk.de>
Date: Wed, 24 Aug 2005 10:40:28 +0200
Cc: heimdal-discuss@sics.se, Ulrich.Schwickerath@web.de
In-Reply-To: <m2wtmbg34c.fsf@dhcp-wavelan-v-206.publik.su.se>
Organization: Forschungszentrum Karlsruhe, HIK
References: <m2wtmbg34c.fsf@dhcp-wavelan-v-206.publik.su.se>
Reply-To: ulrich.schwickerath@iwr.fzk.de
Sender: owner-heimdal-discuss@sics.se
User-Agent: KMail/1.8

Hello, Love,

Indeed, I had afs-use-524=no which was working fine with my ADS as long as I 
did not do cross realm authentication. Changing it explicitly  to 2b does the 
job.

Thank's a lot!
Ulrich

P.S.: I'm a bit puzzled on what may have happened to the email. Hope this one 
will go through :-)


On Wednesday 24 August 2005 10:17, Love Hörnquist Åstrand wrote:
> Hello
>
> Somehow this mail never reached me, I found it in the mailing list archive.
>
> > I'm a bit wondering about the behaviour of afslog in a cross realm
> > authentication situation. I have two ADS, say A.FZK.DE and CG.FZK.DE.
> > There is a one way trust between them, so that users from A.FZK.DE can
> > log into CG.FZK.DE. In the latter I have a afs ID of 7597 which matches
> > the unix uid.
>
> ...
>
> > hence, this token is "discarded" since not matching the correct key
> > (unknown key version number). The same problem occurs with my pam_krb5afs
> > module which uses the heimdal libs.  As a result, people already
> > authenticated in A.FZK.DE are let into the machine when connecting with
> > ssh but get an afs token which does not work.
> >
> > Is this behaviour known ? Is this just a  missconfiguration problem or a
> > problem of libkafs ?
> > Thank's in advance!
>
> Libkafs defaults to use 524, and if the 524 service on the cross-realm KDC
> doesn't issue AFS 2b tokens, you'll get this failure.
>
> If you turn on local 2b conversion, see manpage for kafs, the problem
> should go away.
>
> I've been thinking about defaulting to local 2b conversion for cross realm
> case, but never got around to writing the code.
>
> Love

-- 
__________________________________________
Dr. Ulrich Schwickerath
Forschungszentrum Karlsruhe
GRID-Computing and e-Science
Institut for Scientific Computing (IWR)
P.O. Box 36 40
76021 Karlsruhe, Germany

Tel: +49(7247)82-8607
Fax: +49(7247)82-4972 

e-mail: ulrich.schwickerath@iwr.fzk.de
PGP DH/DSS Key: ID 0xCEB9826F
Fingerprint: 5537 8473 CD26 507E 8EE2  BAAF 98E2 FD16 CEB9 826F
__________________________________________

Follow-Ups:
- Re: afslog behaviour in a cross realm configuration
  - From: Ulrich Schwickerath <Ulrich.Schwickerath@iwr.fzk.de>

Prev by Date: Re: afslog behaviour in a cross realm configuration
Next by Date: Re: Changes to PKINIT
Prev by thread: afslog behaviour in a cross realm configuration
Next by thread: Re: afslog behaviour in a cross realm configuration
Index(es):
- Date
- Thread