Lars Schimmer wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Douglas E. Engert wrote:
Lars Schimmer wrote:
Hi!
Now I´m on my way to switch from MIT krb5 server to Win 2003 AD krb5
server to use only ONE auth in my cell :-)
In that way I´ve got some questions.
Start with OpenAFS 1.5.20 release notes section 3.1.1
http://www.openafs.org/release/openafs-1.5.20.html
Damned. I´ve read that so many times in all the years, but never had the
AD krb5 in mind, so I forget the easiest part of doc retrievement.
1. is it possible, to use both server and use both to obtain
tickets/tokens in the time of changing?
Yes. Some questions:
Are the user names in sync between the two realms.
Sure, users log in to AD domain and got ticket/token from MIT krb5.
So you keep them seperate by Windows clients using DNS SRV records to
find its KDCs, and Kerberos clients using the krb5.conf to find
its KDCs. (This sounds like some other site I know of.)
It also means that you can not use the KfW or the Network Identity Manager
to import tickets from a Windows login.
Are the realm names the same? Does either match the cell name?
Both are the same and working so far, they match the cell name and the DNS.
Are you using aklog with krb524d currently?
No, pure aklog and krb5. No krb4 involved til yet.
Is there a problem with kvno? Or just set the Win Key one number higher
than MIT key?
The AFS KeyFile has only kvnos and keys, it does not know with what realm
the keys are associated, so you can have a kvno/key from the MIT server
and a different kvno/key from the AD. Just as long as the kvno's don't
match.
Thought so, but wanted to be sure.
2. creating user in AD is clear to me, do I need to map them via the
setspn version?
Just add users like any AD user.
Fine :-)
3. How to create host-entries? Just add a "Computer" to the AD?
Some special Options to take care of?
Thats not an AFS question. We use msktutil, it uses LDAP to add host
accounts in AD, and updates the Krb5 keytabs. (Google for msktutil)
Takes care of adding accounts, and setting all the AD options
for Kerberos service principals. including the afs/[EMAIL PROTECTED]
principal.
Ok, I´ll have a look tomorrow.
4. I created a afs user in the AD as a normal user with the login afs,
set user cannot change passwd, passwd never expires.
Afterward I setspn afs/cgv.tugraz.at to afs.
Was this correct? Any other options to check?
Des only, and maybe the NO PAC option see:
http://support.microsoft.com/kb/832572/
Need to check, to.
5. I installed the Win 2003 SP2 and tools for SP2, so no need to worry
about ktpass?
Not if you use msktutil. There are some issues with what the "salt"
when ktpass creats des keys from a password for service principals.
That seems to be a fine tool. Good to know.
6. After ktpass export the afs key and import it into afs servers, I can
change the clients to auth against Win 2003 AD. Is it enough just to
change the IP in the krb5.conf file?
IP? or the name of the KDC. You can also remove the kdc= lines
and use the DNS SRV records AD should already have in place:
nslookup
set type=ANY
_kerberos._udp.<realmname>
_kerberos._tcp.<realmname>
See questions on what are the realm names above. Sounds like you are
using the
same realm names for AD and the krb5.
Yeah, til yet it worked more or less fine :-)
Thanks.
MfG,
Lars Schimmer
- --
- -------------------------------------------------------------
TU Graz, Institut für ComputerGraphik & WissensVisualisierung
Tel: +43 316 873-5405 E-Mail: [EMAIL PROTECTED]
Fax: +43 316 873-5402 PGP-Key-ID: 0x4A9B1723
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFGZx04mWhuE0qbFyMRAvoRAJ9+uw3N8ucQgs2q7UZrHaKU8a8qzwCdFpbd
mNnELtPHvQBYDYJ1kWlwgOU=
=3YEY
-----END PGP SIGNATURE-----
_______________________________________________
OpenAFS-info mailing list
[email protected]
https://lists.openafs.org/mailman/listinfo/openafs-info
--
Douglas E. Engert <[EMAIL PROTECTED]>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444
_______________________________________________
OpenAFS-info mailing list
[email protected]
https://lists.openafs.org/mailman/listinfo/openafs-info
