Lars Schimmer wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi! Now I´m on my way to switch from MIT krb5 server to Win 2003 AD krb5 server to use only ONE auth in my cell :-) In that way I´ve got some questions.
Start with OpenAFS 1.5.20 release notes section 3.1.1 http://www.openafs.org/release/openafs-1.5.20.html
1. is it possible, to use both server and use both to obtain tickets/tokens in the time of changing?
Yes. Some questions: Are the user names in sync between the two realms. Are the realm names the same? Does either match the cell name? Are you using aklog with krb524d currently?
Is there a problem with kvno? Or just set the Win Key one number higher than MIT key?
The AFS KeyFile has only kvnos and keys, it does not know with what realm the keys are associated, so you can have a kvno/key from the MIT server and a different kvno/key from the AD. Just as long as the kvno's don't match.
2. creating user in AD is clear to me, do I need to map them via the setspn version?
Just add users like any AD user.
3. How to create host-entries? Just add a "Computer" to the AD? Some special Options to take care of?
Thats not an AFS question. We use msktutil, it uses LDAP to add host accounts in AD, and updates the Krb5 keytabs. (Google for msktutil) Takes care of adding accounts, and setting all the AD options for Kerberos service principals. including the afs/[EMAIL PROTECTED] principal.
4. I created a afs user in the AD as a normal user with the login afs, set user cannot change passwd, passwd never expires. Afterward I setspn afs/cgv.tugraz.at to afs. Was this correct? Any other options to check?
Des only, and maybe the NO PAC option see: http://support.microsoft.com/kb/832572/
5. I installed the Win 2003 SP2 and tools for SP2, so no need to worry about ktpass?
Not if you use msktutil. There are some issues with what the "salt" when ktpass creats des keys from a password for service principals.
6. After ktpass export the afs key and import it into afs servers, I can change the clients to auth against Win 2003 AD. Is it enough just to change the IP in the krb5.conf file?
See questions on what are the realm names above. Sounds like you are using the same realm names for AD and the krb5.
Thanks for the help so far. I just want to be sure that it works the way I think it should. MfG, Lars Schimmer - -- - ------------------------------------------------------------- TU Graz, Institut für ComputerGraphik & WissensVisualisierung Tel: +43 316 873-5405 E-Mail: [EMAIL PROTECTED] Fax: +43 316 873-5402 PGP-Key-ID: 0x4A9B1723 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFGZtCsmWhuE0qbFyMRApoJAJ9/0fd7OAmj07X7LQnW3Pt6V+/DogCfdMA9 ujOz7snBebs254iO6pgRKUM= =qIcE -----END PGP SIGNATURE----- _______________________________________________ OpenAFS-info mailing list [email protected] https://lists.openafs.org/mailman/listinfo/openafs-info
-- Douglas E. Engert <[EMAIL PROTECTED]> Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444 _______________________________________________ OpenAFS-info mailing list [email protected] https://lists.openafs.org/mailman/listinfo/openafs-info
