2011-11-02 17:17 keltezéssel, stasheck írta: > Hi, > I'm still trying to solve some issues regarding proper integration of > ActiveDirectory into our IT environment. One thing I learned, it's > impossible to forgo AD Kerberos for MIT Kerberos. Now, I cannot resign > from MIT Kerberos, so I need some workarounds. > > First, I'm going to block password change from Windows boxes and force > everyone to change their password on MIT Kerboros - because I can sync > that to AD. > > Second problem/idea is to create SingleSignOn to OpenAFS just by > logging into Windows account. > > I've seen bits of pieces that would suggest that it's possible, but I > still can't wrap my head around it. > > What I know, what I need: > - all users have account both in Active Directory domain, and in MIT > Kerberos (another domain) (check) > - I can form mutual trust relationship between MIT and AD (did that to > test some previous ideas) > - a user logs into AD domain, and gets AD Kerberos ticket (but I don't > know if there's any way to use this ticket to other services?) > > Is there any way to use AD ticket to get into MIT-based AFS? > > /br > Stan > > PS. I just stumbled on a very interesting article: > https://twiki.cern.ch/twiki/bin/view/AFSService/UnifiedKerberos but I > cannot read any links - I don't have a CERN account. I believe that > some people here work at CERN, would somebody be so kind and share the > documents linked from this one? Many thanks. > _______________________________________________ > OpenAFS-info mailing list > [email protected] > https://lists.openafs.org/mailman/listinfo/openafs-info Hi,
Two (complementary) ideas: 1. Try to establish a two way trust between your AD and MIT KDC, that way your AD users would be treated by AFS as [email protected] insted of principal 2. A more aggressive approach would be migrating to Samba4 which realizes an AD (the KDC part being a slightly modified Heimdal KDC), it is still rough around the edges, but I have a testcell whose KDC is Samba4, and it works reasonably well. Cheers Geza _______________________________________________ OpenAFS-info mailing list [email protected] https://lists.openafs.org/mailman/listinfo/openafs-info
