Dear OpenAFS community, I've been maintaining my own cell (cs.uwm.edu) including a MIT KDC for realm CS.UWM.EDU. The campus is now providing AD kerberos through a realm I'll call UWM.EDU. I'd like to use this to authenticate the majority of users (students in classes) while keeping (for now) AFS administrator principals and perhaps a few others in my kerberos realm. In other words, I'd like to authenticate against two realms. I can be responsible for ensuring compatability between my little realm and the campus realm. Using two realms is also attractive as a possible path to getting rid of my CS.UWM.EDU realm altogether, sometime in the future.
I'm wondering whether (1) this is practical and (2) the implementation route I give below makes sense. Proposed implementation: 1. Follow the instructions in http://wiki.openafs.org/AFSLore/WindowsK5AfsServicePrincipal/ to create a service principal afs/[email protected] with a new kvno. Add the key to each AFS server's key file. 2. Somehow, create a file /usr/afs/etc/krb5.conf on all AFS servers that lists both realms. Trying to read between the lines, perhaps what this file needs is: [libdefaults] default_realm = UWM.EDU [realms] CS.UWM.EDU = { kdc = kerberos.cs.uwm.edu kdc = kerberos-1.cs.uwm.edu master_kdc = kerberos.cs.uwm.edu admin_server = kerberos.cs.uwm.edu } UWM.EDU = { kdc = kerberos.uwm.edu } [appdefaults] afs_krb5 = { CS.UWM.EDU = { afs/cs.uwm.edu = false } UWM.EDU = { afs/cs.uwm.edu = false } } I'm very unusure of this step -- the Wiki page I pointed to just says to add the AD realm to the krb5.conf, but doesn't explain how. I found the "[appdefaults]" section mentioned on a different wiki page. The "= false" part is confusing too. 3. Then a user can authenticate either against CS.UWM.EDU or against UWM.EDU and using aklog -c cs.uwm.edu -k UWM.EDU or aklog -c cs.uwm.edu -k CS.UWM.EDU and either way will work. Right? 4.Network Identity Manager can be set up to take UWM.EDU as the realm (by default) and cs.uwm.edu as the cell for AFS. _______________________________________________ OpenAFS-info mailing list [email protected] https://lists.openafs.org/mailman/listinfo/openafs-info
