One thing here is that the kerberos realm administrators should not have administrative
authority over the afs/cell. If they create the keytab and send it to us. They could connect
to any of our afs services with administrative privileges. In our scenario we only trust the other kerberos
realm as an authentication source for users, not an administrative authority for anything else.
It looks like I'll have to hack ptserver to allow me to control the UID's and still use crossrealm
kerberos users.
Maybe I could hack the database offline? Does anyone have pointers to the format
or other suggestions?
-chris
On Tuesday, July 29, 2003, at 01:26 PM, Douglas E. Engert wrote:
Chris McClimans wrote:
Is there a way to create an afs service principle and get the appropriate keytab files out of a Microsoft win2k KDC? I am not in administration for the remote KDC, and don't have a user/admin principle on the MS KDC.
Technically if you don't have admin rights on the KDC you can never get the key. Thats the point of the key being the shared secret between the KDC and the server. The admin of the KDC needs to get involved to get you the secret as the representive of the service.
See the MS ktpass command, which can produce a keytab, and is used by the
admin to set the service principal mapping. I think you can run it locally.
For example:
[EMAIL PROTECTED]:~$ /usr/sbin/kadmin -r TTU.EDU -p [EMAIL PROTECTED] Authenticating as principal [EMAIL PROTECTED] with password. Enter password: kadmin: Databasetd: recv suboption NAWS 0 100 (100) 0 53 (53)e initializing kadmin interface
What other methods do I have to work with to get a working afs/[EMAIL PROTECTED] Is there a way to generate a keytab/afskey based on the known password in the KDC for that principle? -chris
On Friday, July 25, 2003, at 11:57 PM, Derek Atkins wrote:
Chris McClimans <[EMAIL PROTECTED]> writes:
Does this mean that the pts entry would be username for the principal
[EMAIL PROTECTED] and I could pts createuser username -id 12345?
-chris
Asuming you make "REMOTE.REALM" the kerberos realm for your cell, and
obtain a key, afs/[EMAIL PROTECTED] For a user with a
kerberos principal of [EMAIL PROTECTED] you would give them a pts
name of "username" and you can assign them an id of whatever you want.
e.g.:
klist
...
Default principal: [EMAIL PROTECTED]
...
07/26/03 00:39:12 07/26/03 10:39:12 [EMAIL PROTECTED]
07/26/03 00:39:12 07/26/03 10:39:12 [EMAIL PROTECTED]
...
tokens
User's (AFS ID 9661) tokens for [EMAIL PROTECTED] [Expires Jul 26 10:39]
User's (AFS ID 9661) tokens for [EMAIL PROTECTED] [Expires Jul 26
10:39]
...
--> pts exa 9661 -c sipb
Name: warlord, id: 9661, owner: system:administrators, creator: ...
-derek
-- Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory Member, MIT Student Information Processing Board (SIPB) URL: http://web.mit.edu/warlord/ PP-ASEL-IA N1NWH [EMAIL PROTECTED] PGP key available
_______________________________________________ OpenAFS-info mailing list [EMAIL PROTECTED] https://lists.openafs.org/mailman/listinfo/openafs-info
--
Douglas E. Engert <[EMAIL PROTECTED]> Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444 _______________________________________________ OpenAFS-info mailing list [EMAIL PROTECTED] https://lists.openafs.org/mailman/listinfo/openafs-info
_______________________________________________ OpenAFS-info mailing list [EMAIL PROTECTED] https://lists.openafs.org/mailman/listinfo/openafs-info
