-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Douglas E. Engert wrote: > > > Lars Schimmer wrote: > Hi! > > Now I´m on my way to switch from MIT krb5 server to Win 2003 AD krb5 > server to use only ONE auth in my cell :-) > In that way I´ve got some questions. > > >> Start with OpenAFS 1.5.20 release notes section 3.1.1 >> http://www.openafs.org/release/openafs-1.5.20.html
Damned. I´ve read that so many times in all the years, but never had the AD krb5 in mind, so I forget the easiest part of doc retrievement. > 1. is it possible, to use both server and use both to obtain > tickets/tokens in the time of changing? > >> Yes. Some questions: > >> Are the user names in sync between the two realms. Sure, users log in to AD domain and got ticket/token from MIT krb5. >> Are the realm names the same? Does either match the cell name? Both are the same and working so far, they match the cell name and the DNS. >> Are you using aklog with krb524d currently? No, pure aklog and krb5. No krb4 involved til yet. > Is there a problem with kvno? Or just set the Win Key one number higher > than MIT key? > >> The AFS KeyFile has only kvnos and keys, it does not know with what realm >> the keys are associated, so you can have a kvno/key from the MIT server >> and a different kvno/key from the AD. Just as long as the kvno's don't >> match. Thought so, but wanted to be sure. > 2. creating user in AD is clear to me, do I need to map them via the > setspn version? > >> Just add users like any AD user. Fine :-) > 3. How to create host-entries? Just add a "Computer" to the AD? > Some special Options to take care of? > >> Thats not an AFS question. We use msktutil, it uses LDAP to add host >> accounts in AD, and updates the Krb5 keytabs. (Google for msktutil) >> Takes care of adding accounts, and setting all the AD options >> for Kerberos service principals. including the afs/[EMAIL PROTECTED] >> principal. Ok, I´ll have a look tomorrow. > 4. I created a afs user in the AD as a normal user with the login afs, > set user cannot change passwd, passwd never expires. > Afterward I setspn afs/cgv.tugraz.at to afs. > Was this correct? Any other options to check? > >> Des only, and maybe the NO PAC option see: >> http://support.microsoft.com/kb/832572/ Need to check, to. > 5. I installed the Win 2003 SP2 and tools for SP2, so no need to worry > about ktpass? > >> Not if you use msktutil. There are some issues with what the "salt" >> when ktpass creats des keys from a password for service principals. That seems to be a fine tool. Good to know. > 6. After ktpass export the afs key and import it into afs servers, I can > change the clients to auth against Win 2003 AD. Is it enough just to > change the IP in the krb5.conf file? > >> See questions on what are the realm names above. Sounds like you are >> using the >> same realm names for AD and the krb5. Yeah, til yet it worked more or less fine :-) Thanks. MfG, Lars Schimmer - -- - ------------------------------------------------------------- TU Graz, Institut für ComputerGraphik & WissensVisualisierung Tel: +43 316 873-5405 E-Mail: [EMAIL PROTECTED] Fax: +43 316 873-5402 PGP-Key-ID: 0x4A9B1723 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFGZx04mWhuE0qbFyMRAvoRAJ9+uw3N8ucQgs2q7UZrHaKU8a8qzwCdFpbd mNnELtPHvQBYDYJ1kWlwgOU= =3YEY -----END PGP SIGNATURE----- _______________________________________________ OpenAFS-info mailing list [email protected] https://lists.openafs.org/mailman/listinfo/openafs-info
