On 12/9/2011 2:03 PM, Valentine, Nick wrote: > I can't use just active directory, because student ID's for AFS are created > off a separate LDAP system, as well as not using that system for > authentication. > > I need to be able to test a trust relationship off of one Kerberos system > running on Solaris to a Windows domain. > > At present, do not have a single sign on system. We are using OpeanAFS 1.6 As > such, I have to learn to "coexist" by creating an intermediate test > environment to explore the possibilities of using a trust relationship so > students can use the 1.7 client and just sign on once. > > I don't know why we have three authentication systems, but my job is not to > ask why :-) > > Do you have a link to documentation that could clarify this sort of OpenAFS > Server configuration?
Setting up an authentication infrastructure using Kerberos v5 is not an OpenAFS question. The OpenAFS piece is strictly the creation of the afs/<cell>@<REALM> service principal entry within the realm(s) that are to be treated local authentication services for the AFS cell. Those realms must be listed in the OpenAFS krb.conf file. http://docs.openafs.org/Reference/5/krb.conf.html The role of the Kerberos KDC to OpenAFS is documented in the OpenAFS Administrator's guide. http://docs.openafs.org/AdminGuide/ How to use Integrated Logon on a Windows system is documented in the OpenAFS Windows Release Notes: http://docs.openafs.org/ReleaseNotesWindows/index.html How to setup cross-realm is a subject for your Kerberos and Active Directory documentation. When the 2008 AFS and Kerberos Workshop took place at NJIT the plan at the time was to convert NJIT's AFS deployment from using kaserver to a Kerberos v5 realm. Based on your questions I am guessing that project was never completed. Jeffrey Altman
signature.asc
Description: OpenPGP digital signature
