Sean Kennedy <[EMAIL PROTECTED]> wrote: > What I'd like to do is have openafs auth against my AD domain, going > so far as to dynamically create afs accounts based off of AD > accounts. Is this possible?
If you were to treat AD as a foreign realm, yes, user accounts could be auto-created. I would not recomend this though, as you would have no way to put users into groups before their accounts were created or otherwise add them to ACLs. I.e. users would need to login and obtain AFS tokens before they could be put on ACLs. This would make it very hard to setup user home directories or other file shares, assuming you wanted to rely upon more than just the system:authusers group. > So in my ideal setup, I wouldn't have to pre-create a user for afs if > they already exist in my AD tree. Instead, on first log in, the > account is automatically created. Further, the username/password > info would be taken directly from the AD tree. This way, when a > password changes, it doesn't need to be changed in the afs tree as > well. Its possible to use AD as Kerberos realm and obtain Kerberos tickets and then AFS tokens from AD. Just create an AFS service principal in AD and use the proper ktadd.exe command to extract a keytab and then asetkey the keytab into the AFS KeyFile. > I could get by with having to hand create the accounts in afs if I > could get auth working against AD. I'd strongly recomend doing this instead. There have been several posts on using AD as a KDC for AFS. Look through the archives. <<CDC -- Christopher D. Clausen [EMAIL PROTECTED] SysAdmin _______________________________________________ OpenAFS-info mailing list [email protected] https://lists.openafs.org/mailman/listinfo/openafs-info
