Lars Schimmer <[EMAIL PROTECTED]> wrote: > I've got a subnet with about 40 PCs, some Windows, some Linux. > The Windows Clients should resist in a AD/Domain under win2003 > server. All clients should use kerberos5 and should obtain > tickets/tokens automatic, as home should resist in OpenAFS > space. I learned I need two kerberos5 realms, one MIT and one > on the AD, right?
I am not certain about this but you might get by with only the Windows AD kerberos. > What is the best way to set this up? > Use the AFS Cell name as AD realm? > Use the AFS Cell name as MIT realm? > Any other hint? To my knowledge the most common is. AFS Cell: example.com Kerberos realm: EXAMPLE.COM Active Directory: ad.example.com Active Directory realm: AD.EXAMPLE.COM Make the Active Directory trust the Kerberos realm with a one way trust. Setup your clients to login to the Kerberos REALM (EXAMPLE.COM) using 'ksetup /addkdc EXAMPLE.COM", it is not needed to specify the kdc if you setup DNS correctly. For the user 'foobar' to work an entry needs to be added to the Kerberos Realm ([EMAIL PROTECTED]), the user needs to be in the AFS pts database and exist in Active Directory. In the Active Directory MMC application you choose View -> Advanced options and then you should find a "Name mapping" where you can connect the 'foobar' user in Active Directory with the Kerberos user '[EMAIL PROTECTED]'. _______________________________________________ OpenAFS-info mailing list [email protected] https://lists.openafs.org/mailman/listinfo/openafs-info
