[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: afslog behaviour in a cross realm configuration

Hello, Love,

Indeed, I had afs-use-524=no which was working fine with my ADS as long as I 
did not do cross realm authentication. Changing it explicitly  to 2b does the 

Thank's a lot!

P.S.: I'm a bit puzzled on what may have happened to the email. Hope this one 
will go through :-)

On Wednesday 24 August 2005 10:17, Love Hörnquist Åstrand wrote:
> Hello
> Somehow this mail never reached me, I found it in the mailing list archive.
> > I'm a bit wondering about the behaviour of afslog in a cross realm
> > authentication situation. I have two ADS, say A.FZK.DE and CG.FZK.DE.
> > There is a one way trust between them, so that users from A.FZK.DE can
> > log into CG.FZK.DE. In the latter I have a afs ID of 7597 which matches
> > the unix uid.
> ...
> > hence, this token is "discarded" since not matching the correct key
> > (unknown key version number). The same problem occurs with my pam_krb5afs
> > module which uses the heimdal libs.  As a result, people already
> > authenticated in A.FZK.DE are let into the machine when connecting with
> > ssh but get an afs token which does not work.
> >
> > Is this behaviour known ? Is this just a  missconfiguration problem or a
> > problem of libkafs ?
> > Thank's in advance!
> Libkafs defaults to use 524, and if the 524 service on the cross-realm KDC
> doesn't issue AFS 2b tokens, you'll get this failure.
> If you turn on local 2b conversion, see manpage for kafs, the problem
> should go away.
> I've been thinking about defaulting to local 2b conversion for cross realm
> case, but never got around to writing the code.
> Love

Dr. Ulrich Schwickerath
Forschungszentrum Karlsruhe
GRID-Computing and e-Science
Institut for Scientific Computing (IWR)
P.O. Box 36 40
76021 Karlsruhe, Germany

Tel: +49(7247)82-8607
Fax: +49(7247)82-4972 

e-mail: ulrich.schwickerath@iwr.fzk.de
Fingerprint: 5537 8473 CD26 507E 8EE2  BAAF 98E2 FD16 CEB9 826F