2011/11/2 Douglas E. Engert <[email protected]>: > > > On 11/2/2011 11:17 AM, stasheck wrote: >> >> Hi, >> I'm still trying to solve some issues regarding proper integration of >> ActiveDirectory into our IT environment. One thing I learned, it's >> impossible to forgo AD Kerberos for MIT Kerberos. Now, I cannot resign >> from MIT Kerberos, so I need some workarounds. > > When you say "Impossible to forgo AD Kerberos for MIT Kerberos." > do you mean Windows machine and uses require AD accounts. Which is > true. AD uses Krb5, and adds a PAC to the Krb5 tickets. > > I don't know what you mean by "I cannot resign".
Sorry, I meant "I have to use AD and MIT at the same time, for various reasons". > I would also assume that the AD domain name is *NOT* the same as the > MIT Kerberos realm name. If they are, this is going to be a major > conversion. (The afs cell name could match either one, or be different > from both.) No, actually MIT Kerberos uses our domain name, and AD will use a subdomain. >> First, I'm going to block password change from Windows boxes and force >> everyone to change their password on MIT Kerboros - because I can sync >> that to AD. > > There should be no reason that the password have to be in sync. Unless I have users who will at one time of another use both of those services, and I want my users to remember just one password for that. >> Second problem/idea is to create SingleSignOn to OpenAFS just by >> logging into Windows account. > > Yes, do it all the time. See the KfW or the Network Identity Manager > from Secure-endpoints. > http://www.secure-endpoints.com/#Network Identity Manager > and > http://www.secure-endpoints.com/#openafs Well, I am using KfW, but since I have no domain yet I wasn't able to test if KfW automagically gets Kerberos tickes while user logs on. I don't want it to ask for a password second time, after AD logon. >> Is there any way to use AD ticket to get into MIT-based AFS? > > Yes cross realm, or since you are trying to sync passwords between the two, > that implies a user in one realm is the same user in the other realm. > As Andrew said in his note, the AFS cell could be in both realms > at the same time. (There might be some issues as to how a client > determines the default Kerberos realm of the afs cell.) Yes, of course those are the same. I wasn't aware that AFS allows multiple Kerberos domains (so thanks, Andrew) - still have much learning to do. That'd of course solve one part of the problem. So, does KfW automatically get AD ticket? (back to my VMs) /br Stan _______________________________________________ OpenAFS-info mailing list [email protected] https://lists.openafs.org/mailman/listinfo/openafs-info
