[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: afslog behaviour in a cross realm configuration
Indeed, I had afs-use-524=no which was working fine with my ADS as long as I
did not do cross realm authentication. Changing it explicitly to 2b does the
Thank's a lot!
P.S.: I'm a bit puzzled on what may have happened to the email. Hope this one
will go through :-)
On Wednesday 24 August 2005 10:17, Love Hörnquist Åstrand wrote:
> Somehow this mail never reached me, I found it in the mailing list archive.
> > I'm a bit wondering about the behaviour of afslog in a cross realm
> > authentication situation. I have two ADS, say A.FZK.DE and CG.FZK.DE.
> > There is a one way trust between them, so that users from A.FZK.DE can
> > log into CG.FZK.DE. In the latter I have a afs ID of 7597 which matches
> > the unix uid.
> > hence, this token is "discarded" since not matching the correct key
> > (unknown key version number). The same problem occurs with my pam_krb5afs
> > module which uses the heimdal libs. As a result, people already
> > authenticated in A.FZK.DE are let into the machine when connecting with
> > ssh but get an afs token which does not work.
> > Is this behaviour known ? Is this just a missconfiguration problem or a
> > problem of libkafs ?
> > Thank's in advance!
> Libkafs defaults to use 524, and if the 524 service on the cross-realm KDC
> doesn't issue AFS 2b tokens, you'll get this failure.
> If you turn on local 2b conversion, see manpage for kafs, the problem
> should go away.
> I've been thinking about defaulting to local 2b conversion for cross realm
> case, but never got around to writing the code.
Dr. Ulrich Schwickerath
GRID-Computing and e-Science
Institut for Scientific Computing (IWR)
P.O. Box 36 40
76021 Karlsruhe, Germany
PGP DH/DSS Key: ID 0xCEB9826F
Fingerprint: 5537 8473 CD26 507E 8EE2 BAAF 98E2 FD16 CEB9 826F