"Neulinger, Nathan R." wrote:
>
> Before I start, let me preface this with the comment that I don't really
> want to do this. It's a big mess being caused by ActiveDirectory and how
> people want to implement it, including what domain name to use/etc. It's a
> combination of microsoft implementation inflexibility and local politics.
>
> First, I remember reading something about changing the realm name at one
> point. How much trouble would it be to implement this? Is there any way to
> do it other than by setting everyones password again? As well as the host
> principal's keys?
>
> Related to AFS, is there any way to have the kerberos realm be different
> than your afs cell name? I remember seeing something in aklog about this,
> but I wasn't really sure how it functioned. Additionally, if I do this, what
> happens with the server keys/etc. I suppose I could create a new afs service
> key and store it in KeyFile even though it has a completely different
> salt/realm than the previous one. Has anyone done anything like this?
We do something similar, with the K5 realm of dce.anl.gov and the AFS cell of anl.gov.
We are treating the AFS cell as an application server.
We are still using a DCE security server as a K5 KDC and it does not support K4.
But we run a modified krb524d which will take a K5 ticket, for afsx/<afscell>@<realm>
decrypt it using a krb5.keytab, convert it to a K4 ticket for afs@<afscell>
and encrypt it using a copy of the AFS KeyFile. This is used by a modified aklog,
called ak5log. (The above was designed to not require the KDC to have K4 support.
or the krb524d to have access to a K5 database. It will work just as well with
the MIT KDC.)
This has some advantages and disadvantages. Multiple K5 realms can issue tickets
for an AFS cell. A single realm can issue tickets for multiple AFS cells.
You could still have a kaserver, and for the admins it is still used.
The krb524d is assuming the same usernames are in both the realm and AFS cell,
but could do a mapping. The key used for the K5 ticket and K4 ticket are independent.
With a little work it might even work with a W2K domainas the KDC.
See ftp://achilles.ctd.anl.gov/pub/kerberos.v5
I have the K5 mods to krb5-1.1.1 but not in the ftp site yet, if interested.
>
> The other possibility is changing the cell, but that seemed as painful as
> updating all the user keys.
>
> -- Nathan
>
> ------------------------------------------------------------
> Nathan Neulinger EMail: [EMAIL PROTECTED]
> University of Missouri - Rolla Phone: (573) 341-4841
> Computing Services Fax: (573) 341-4216
--
Douglas E. Engert <[EMAIL PROTECTED]>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444
