Re: [OpenAFS] what is the state of the art client setup for openafs + krb5 + windows

Fri, 11 Apr 2014 10:16:48 -0700

We run recent 1.7 clients on our Windows 7 64-bit and Server 2008R2 computers along with MIT KFW 3.2.2, and we use the integrated login.
Our setup is perhaps a little different than most, but we use alternate security identities at our site. For a user "username": 

    cs.wisc.edu                AFS cell name
    usern...@cs.wisc.edu    kerberos principal
    usern...@ad.cs.wisc.edu    Windows domain user


All passwords for users are in the kerberos domain, and a kerberos trust 
between the MIT KDC and domain controllers is in place.  The Windows 
user has an "altSecurityIdentities" entry set pointed at 
"Kerberos:usern...@cs.wisc.edu".



This setup will fetch a kerberos ticket from the MIT KDC at login, and 
that ticket is used to get an AFS token during login with integrated 
login enabled.  It has worked quite well for our site.



Documentation from Microsoft for how to set this up was originally 
written for Windows 2000 (?!), but it still seems to work fine with 
modern Windows. 
http://technet.microsoft.com/en-us/library/bb742433.aspx  Weak 
encryption types need to be enabled in group policy to allow DES 
principals to authenticate and obtain an AFS token.


John Perkins
UW-Madison Computer Sciences



On 04/10/2014 03:34 AM, Gergely Risko wrote:

Hi,

In my cell, I use Heimdal + OpenAFS fileserver on linux.

I only enabled krb5, the only keytype for my afs principal is
aes256-cts-hmac-sha1-96.  Everything works great on linux clients with
the usual kinit from heimdal, they even get tokens automatically.  For
MIT clients I have to run an extra aklog, but that's OK.  MacOS works
too out of the box.

My question is about Windows: what is the currently recommeneded
practice on windows clients for this kind of KRB5 only installations?  I
managed to get it working with some combination of MIT kerberos for
windows and openafs 1.7, but it involves the user calling kinit and
aklog in the command line.  This is ugly, because the user has to know,
that the graphical password input window is useless and should be ignored.

So, what exact binaries do you guys download and use on Windows 7 to get
graphical kerberos password prompt and openafs tokens?

Thanks,
Gergely

_______________________________________________
OpenAFS-info mailing list
OpenAFS-info@openafs.org
https://lists.openafs.org/mailman/listinfo/openafs-info


_______________________________________________
OpenAFS-info mailing list
OpenAFS-info@openafs.org
https://lists.openafs.org/mailman/listinfo/openafs-info






















					Reply via email to