Hi, I'm still trying to solve some issues regarding proper integration of ActiveDirectory into our IT environment. One thing I learned, it's impossible to forgo AD Kerberos for MIT Kerberos. Now, I cannot resign from MIT Kerberos, so I need some workarounds.
First, I'm going to block password change from Windows boxes and force everyone to change their password on MIT Kerboros - because I can sync that to AD. Second problem/idea is to create SingleSignOn to OpenAFS just by logging into Windows account. I've seen bits of pieces that would suggest that it's possible, but I still can't wrap my head around it. What I know, what I need: - all users have account both in Active Directory domain, and in MIT Kerberos (another domain) (check) - I can form mutual trust relationship between MIT and AD (did that to test some previous ideas) - a user logs into AD domain, and gets AD Kerberos ticket (but I don't know if there's any way to use this ticket to other services?) Is there any way to use AD ticket to get into MIT-based AFS? /br Stan PS. I just stumbled on a very interesting article: https://twiki.cern.ch/twiki/bin/view/AFSService/UnifiedKerberos but I cannot read any links - I don't have a CERN account. I believe that some people here work at CERN, would somebody be so kind and share the documents linked from this one? Many thanks. _______________________________________________ OpenAFS-info mailing list [email protected] https://lists.openafs.org/mailman/listinfo/openafs-info
