[96] in Info-AFS_Redistribution
problems authenticating in the athena.mit.edu afs cell
daemon@ATHENA.MIT.EDU (daemon@ATHENA.MIT.EDU)
Mon Mar 18 18:04:42 1991
From: Bruce Howard <bhoward@citi.umich.edu>
To: ifs-staff@ifs.umich.edu, umich-staff@itd.umich.edu, basch@MIT.EDU
Cc: info-afs@transarc.com
Date: Mon, 18 Mar 91 17:27 EST
richard: please note that libaaa is a library of routines we use
at ifs to handle afs authentication and some other tasks. they are
typically called from programs such as login, ftpd, xdm and so forth.
recent attempts to authenticate in the athena.mit.edu cell have
failed. i assumed that this was due to string_to_key functions
differing between athena and transarc. i set about making changes to
libaaa so that both string_to_key functions would be attempted before a
authentication failure was reported.
i made the changes and libaaa successfully began obtaining afs service
tickets from athena that were stuffed into the kernel. unfortunately,
the first time that service ticket was used, our kernels would report
"Tokens for user blah in cell athena.mit.edu have expired". it turns
out that at mit, the afs service ticket is requested with a non-null
instance (specifically: afs.athena.mit.edu@ATHENA.MIT.EDU) this is
consistent with the naming scheme for service principals outlined in
athena documentation but differs from transarc, who use a null instance
for the afs service ticket (afs@UMICH.EDU)
i (with slightly guilty conscience) modified get_afs_auth_stk() in
libaaa to special case athena and substitute "athena.mit.edu" for the
instance should the authentication realm == ATHENA.MIT.EDU. following
this change, i recompiled a klog and authenticated as
bhoward@athena.mit.edu. i confirmed that the service ticket was
working by accessing a protected directory that was permitted to
system:authuser but not to system:anyuser.
i'll be recompiling ftpd, klog, login, xdm to use the new version of
libaaa.
bruce
