On 11/2/2011 11:17 AM, stasheck wrote:
Hi, I'm still trying to solve some issues regarding proper integration of ActiveDirectory into our IT environment. One thing I learned, it's impossible to forgo AD Kerberos for MIT Kerberos. Now, I cannot resign from MIT Kerberos, so I need some workarounds.
When you say "Impossible to forgo AD Kerberos for MIT Kerberos." do you mean Windows machine and uses require AD accounts. Which is true. AD uses Krb5, and adds a PAC to the Krb5 tickets. I don't know what you mean by "I cannot resign". I would also assume that the AD domain name is *NOT* the same as the MIT Kerberos realm name. If they are, this is going to be a major conversion. (The afs cell name could match either one, or be different from both.)
First, I'm going to block password change from Windows boxes and force everyone to change their password on MIT Kerboros - because I can sync that to AD.
There should be no reason that the password have to be in sync.
Second problem/idea is to create SingleSignOn to OpenAFS just by logging into Windows account.
Yes, do it all the time. See the KfW or the Network Identity Manager from Secure-endpoints. http://www.secure-endpoints.com/#Network Identity Manager and http://www.secure-endpoints.com/#openafs
I've seen bits of pieces that would suggest that it's possible, but I still can't wrap my head around it. What I know, what I need: - all users have account both in Active Directory domain, and in MIT Kerberos (another domain) (check) - I can form mutual trust relationship between MIT and AD (did that to test some previous ideas) - a user logs into AD domain, and gets AD Kerberos ticket (but I don't know if there's any way to use this ticket to other services?)
See Network Identity Manager above.
Is there any way to use AD ticket to get into MIT-based AFS?
Yes cross realm, or since you are trying to sync passwords between the two, that implies a user in one realm is the same user in the other realm. As Andrew said in his note, the AFS cell could be in both realms at the same time. (There might be some issues as to how a client determines the default Kerberos realm of the afs cell.)
/br Stan PS. I just stumbled on a very interesting article: https://twiki.cern.ch/twiki/bin/view/AFSService/UnifiedKerberos but I cannot read any links - I don't have a CERN account. I believe that some people here work at CERN, would somebody be so kind and share the documents linked from this one? Many thanks. _______________________________________________ OpenAFS-info mailing list [email protected] https://lists.openafs.org/mailman/listinfo/openafs-info
-- Douglas E. Engert <[email protected]> Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444 _______________________________________________ OpenAFS-info mailing list [email protected] https://lists.openafs.org/mailman/listinfo/openafs-info
