Dave Bailey wrote: > > Hi all, > > We're looking at using Win2k active directory to centralise out account > management. My question is, can the win2k domain controller (acting as a > kerberos 5 KDC) be used to get AFS tokens in an analagous way to using MIT > krb5? Is it just a case of getting a working krb524d equivalent to run on > the domain controller or is it more subtle than that? Sorry for the late reply. We are doing this now. The krb524d is running on a Unix system. The krb524d uses two keys, one for K5 and one from a copy copy of the KeyFile. This means the keys don't have to be the same kvno, or even the same etype and can be changed independently. We have been using this mod for years. Since the krb524d is not being run on the same machine as the KDC, we added code to to the client side of the krb524 lib to look for a krb524d=location in the krb5.conf file. ( A better choice would be to use the AFS servers.) Another option we are testing is called GSIKLOG which uses the GSSAPI to authenticate to a service running on the AFS servers, and returns a ticket. Functionally this is equivalent to above for AFS only. The nice part is there are no Kerberos modifications or source needed and could work with other GSSAPI implementations, both Kerberos based or non-Kerberos based. > > Cheers, > Dave > __ _ > David Bailey .-.' `; `-._ __ _ > Bristol University (_, .-:' `; `-._ > Email: [EMAIL PROTECTED] ,'o"( (_, ) > Tel: +44 117 9546879 (__,-' ,'o"( )> > Fax: +44 117 9255624 ( (__,-' ) > `-'._.--._( ) > ||| |||`-'._.--._.-' > ||| ||| > _______________________________________________ > OpenAFS-info mailing list > [EMAIL PROTECTED] > https://lists.openafs.org/mailman/listinfo/openafs-info -- Douglas E. Engert <[EMAIL PROTECTED]> Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444 _______________________________________________ OpenAFS-info mailing list [EMAIL PROTECTED] https://lists.openafs.org/mailman/listinfo/openafs-info
