Re: [OpenAFS] Documentation or howto for Active Directory as KDC

Thu, 06 Nov 2008 13:22:20 -0800 

If the 'cell' name equals the 'REALM' name modulo lower/upper case,
the 'gssklog' of D.Engert (@ANL) would do the trick. If not,
try this:
 the user should get a refreshable ticket (our AD does that)
 send the ticket to an AFS Server
    there: try to refresh the ticket with kinit -R
      (the AD KDC would do that only if valid and within time)
    if OK: read the tickets realm with 'klist ... | grep ' krbtgt/'
    if that realm is in your trust list:
    forcibly create an AFS token
     (you cannot open the ticket and compute something from its contents)
     [Inspecting gssklog will show you the way]
    send the AFS credential to the user
  stuff it into the kernel [like gssklog]

This way your users may have tickets from different realms, whom you
give tokens for your cell.
Only some perl and gssklog (+ possibly some code adaption) is required,
have a look at
 /afs/rrz.uni-koeln.de/wsadmin/contrib/K5Gettoken.
My Readme for ticket passing with ssh-key login is:

 /afs/rrz.uni-koeln.de/wsadmin/contrib/  \
     README.ssh+credential-passing+AFS-token

Something similar we use to prolong tokens for AFS users running long term
jobs in our SGE batch system. That code stems from R. Tobbicke (@CERN).
We got it via W. Friebel (@DESY/Zeuthen). There i just replaced 'arc'
by 'ssh'.

No more hassle with cross realm authentication any more.

Best Regards / Mit freundlichem Gruss
Rainer Laatsch

-----------------------------------------------------------------------------

On Thu, 6 Nov 2008, Silvia Roedelsperger wrote:


Hi,

i've got a question.
Does anyone know a documentation or a howto on using Active Directory (Windows 2008 Server) as the KDC in an OpenAFS installation?
Our test environment for the OpenAFS server ist running on a Debian Etch machine. 

I just found this old thread from 2004:
http://www.openafs.org/pipermail/openafs-info/2004-June/013771.html

Unfortunately, this thread doesn't helped me very much.
To have two Kerberos-servers (on the one hand the Windows 2008 Server, on the other Hand a MIT-Kerberos Server at the Debian machine) with the same user-accounts doesn't make very much sense to me. 

Thanks in advance! :-)

Greetings, Silvia
_______________________________________________
OpenAFS-info mailing list
[email protected]
https://lists.openafs.org/mailman/listinfo/openafs-info


_______________________________________________
OpenAFS-info mailing list
[email protected]
https://lists.openafs.org/mailman/listinfo/openafs-info

Reply via email to