Theo: >From the perspective of OpenAFS, Active Directory is just a Kerberos 5 KDC. The reasons there were issues in the past were:
* AD issues DES-CBC-MD5 tickets instead of DES-CBC-CRC * AD issues tickets that are longer than 344 bytes In OpenAFS 1.4, support was added for DES-CBC-MD5 and DES-CBC-MD4 plus the restriction on ticket length was increased to 14000 bytes (which is documented as the largest ticket AD will issue.) Therefore, in order to use a Windows Domain as the Kerberos 5 realm for a cell you should follow Ken Hornstein's migration guide with the following exceptions: * the Kerberos 5 keytab file is generated with KTUTIL.EXE * the Active Directory account used for the service principal must be marked DES only * the kvno of the new Kerberos 5 key must not be the same as any of your pre-existing keys in the AFS keyfile Use "asetkey" from the migration guide (this is not built in 1.4.0 but will be included in 1.4.1) to import the Kerberos 5 key into the AFS key file on the servers. The AFS clients will require the aklog tool (built as part of 1.4.0 when one of the krb5 configure options is specified) and a proper /etc/krb5.conf file. (as described in the migration guide.) Jeffrey Altman theo van den bout wrote: > > Hi Guys > > > The release announcement of the new 1.4 version mentions > " This release allows Kerberos 5 KDCs including Microsoft > Active Directory to be the source of AFS client > authentication. " > > And that's precisely what i need... but i could do with a bit > more info. :) > > Can somebody please send me in the right direction? > Sofar i always used the kas-server. > > If i: > * leave out the kas-server > * configure /etc/krb5.conf > * add an afs principal (from ADS) to /etc/keytab > would that be sufficient? > ( I'm not trying to migrate, I just want it up and running. ) > > Do i need any non-default configure/compile options? > > I'm using a linux server and linux client for testing. ( SuSE 10.0 ) > > > The best > Theo > > _______________________________________________ > OpenAFS-info mailing list > [email protected] > https://lists.openafs.org/mailman/listinfo/openafs-info
smime.p7s
Description: S/MIME Cryptographic Signature
