Re: [OpenAFS] Active Directory 2003, kerberos 5, openAFS - rxkad error=19270407, arghhhh

Fri, 05 Jan 2007 09:17:11 -0800 


Yes I will try your instructions, I am not in control
of our Windows servers and they are running W2K. I do
have access to a test W2003 AD server.

>  * Use a working (non-2003 SP1) version of ktpass to export the key
>    The 2003 SP1 Support Tools version is 5.2.3790.1830.  Do not use it.

So use the original ktpass? Is there a way to verify the
working version? Thanks for all your help.

While we are on the subject. If we decide to have our
L/Unix infrustrucure, including afs, authenticate to
Windows AD; how comfortable do you feel that one day
a Microsoft patch might break things? Our Windows group
say they cannot guarantee this will not happen. I know
this is a big question...

Jeffrey Altman wrote:

John W. Sopko Jr. wrote:

I should have been more clear. I am only running a TEST
krb5 1.4.4 server under linux. I am still running kaserver.
Like lots of folks looking to migrate to K5, have been for
years.


oh, much relief felt by all  :-)


I would prefer to keep the dns/realm/afs.cell names all the same.
The only way to do this is to run one kerberos 5 server. The
linux krb5_pam module seems to work fine for authenticating
to k5 and getting afs tokens. Aklog works great also. Have tested
linux krb5_pam and apache authentication to Windows AD.

We run 3 active directory servers, currently Windows 2000
to be upgraded to 2003 very soon. We have a Windows group that
manages these machines.

I am trying to piece things together like Eric.
What we need is clear steps on how to create the Windows
AD afs/cell.name user and the proper way to export the
afs/cell.name key. Would be nice to have this for both
W2K and W2003. The linux "asetkey" man page  is real clear
on how to do this in linux, (thanks Russ).


The instructions I provided should work for you.  If they don't,
scream.


I plan on trying to attend the AFS & Kerberos
Best Practices Workshop 2007. I am sure over the next few
months things will get more clear on this.


There is a talk from last years workshop by Derrick on this
very topic.

Jeffrey Altman


--
John W. Sopko Jr.               University of North Carolina
email: sopko AT cs.unc.edu      Computer Science Dept., CB 3175
Phone: 919-962-1844             Sitterson Hall; Room 044
Fax:   919-962-1799             Chapel Hill, NC 27599-3175
_______________________________________________
OpenAFS-info mailing list
[email protected]
https://lists.openafs.org/mailman/listinfo/openafs-info























					Reply via email to