Dave Botsch <[EMAIL PROTECTED]> wrote:
I've been looking into doing cross-realm auth with afs. For the most
part, it looks like this is pretty darn easy...
setup the system:[EMAIL PROTECTED] group
kinit in the foreign realm, run aklog/afslog -- this creates the pts
entry
add any afs acls
You can also just have afs service principals from BOTH realms added to
the KeyFile on your servers. This is what I have done. This allows
users in both realms to authenticate as the same pts id.
[EMAIL PROTECTED] -> cclausen (25160 in acm.uiuc.edu)
[EMAIL PROTECTED] -> cclausen (25160 in acm.uiuc.edu)
This is significantly less confusing to the user, although it assumes
that you can trust that users in each realm are the same actual person.
This leaves Windows... I see that Windows does come w. an
aklog.exe... so, presumably, I could write a script to do the
kinit/aklog.exe...
I have an aklog.cmd script:
@echo off
IF "%1" == "" (
echo running aklog.exe -cell acm.uiuc.edu -k AD.UIUC.EDU -5
aklog.exe -cell acm.uiuc.edu -k AD.UIUC.EDU -5
) ELSE (
aklog.exe %*
)
By default, my Windows machines will attempt to use AD creds to obtain
tokens when users type in "aklog." you either need to explicitly use
aklog.exe or just specify some other aklog options to have the default
behaviour.
I have a login script (in the Start Menu "Startup") that runs the
following:
@echo off
IF "%USERNAME%" == "install" (
rem Put user's session into install mode
change user /install
GOTO :EOF
)
IF "%USERDOMAIN%" == "%COMPUTERNAME%" (
GOTO :EOF
) ELSE (
rem Do things for remote users
ms2mit.exe
aklog.exe -cell acm.uiuc.edu -k AD.UIUC.EDU
)
:EOF
what about the afscreds.exe gui in 1.4.2? Is there a way to tell it
that the kerberos tickets are in realm A but it needs to get an afs
service ticket in realm B?
This is possible from KfW with the AFS plugin (included in 1.5.10.) I
haven't figured out how to do it from the afscreds gui.
<<CDC
--
Christopher D. Clausen
[EMAIL PROTECTED] SysAdmin
_______________________________________________
OpenAFS-info mailing list
OpenAFS-info@openafs.org
https://lists.openafs.org/mailman/listinfo/openafs-info
