On 12/15/2011 12:01 PM, John Tang Boyland wrote: > Dear OpenAFS community, > > I've been maintaining my own cell (cs.uwm.edu) including a MIT KDC > for realm CS.UWM.EDU. The campus is now providing AD kerberos through a > realm I'll call UWM.EDU. I'd like to use this to authenticate the > majority of users (students in classes) while keeping (for now) AFS > administrator principals and perhaps a few others in my kerberos realm. > In other words, I'd like to authenticate against two realms. I can be > responsible for ensuring compatability between my little realm and the > campus realm. Using two realms is also attractive as a possible path to > getting rid of my CS.UWM.EDU realm altogether, sometime in the future.
Doing so is fine provided that names in CS.UWM.EDU will always match the names in the UWM.EDU realm. > I'm wondering whether (1) this is practical and (2) the implementation > route I give below makes sense. > > Proposed implementation: > > 1. Follow the instructions in > http://wiki.openafs.org/AFSLore/WindowsK5AfsServicePrincipal/ > to create a service principal afs/[email protected] > with a new kvno. Add the key to each AFS server's key file. > > > 2. Somehow, create a file /usr/afs/etc/krb5.conf > on all AFS servers that lists both realms. The file is .../afs/etc/krb.conf not krb5.conf http://docs.openafs.org/Reference/5/krb.conf.html > Trying to read between the lines, perhaps what this file needs is: > > [libdefaults] > default_realm = UWM.EDU > > [realms] > CS.UWM.EDU = { > kdc = kerberos.cs.uwm.edu > kdc = kerberos-1.cs.uwm.edu > master_kdc = kerberos.cs.uwm.edu > admin_server = kerberos.cs.uwm.edu > } > UWM.EDU = { > kdc = kerberos.uwm.edu > } > > [appdefaults] > afs_krb5 = { > CS.UWM.EDU = { > afs/cs.uwm.edu = false } > UWM.EDU = { > afs/cs.uwm.edu = false } > } > > I'm very unusure of this step -- the Wiki page I pointed to just says > to add the AD realm to the krb5.conf, but doesn't explain how. > I found the "[appdefaults]" section mentioned on a different wiki page. > The "= false" part is confusing too. OpenAFS does not use a Kerberos v5 library and therefore does not need a krb5.conf file. The krb5.conf file is used on the client machines and I assume you already have one for your CS.UWM.EDU realm. > 3. Then a user can authenticate either against CS.UWM.EDU or against > UWM.EDU and using > aklog -c cs.uwm.edu -k UWM.EDU > or > aklog -c cs.uwm.edu -k CS.UWM.EDU > and either way will work. Right? They should use the realm the user obtained their TGT from. aklog tries afs/cs.uwm.edu@<USER-REALM> first. > 4.Network Identity Manager can be set up to take UWM.EDU as the realm > (by default) and cs.uwm.edu as the cell for AFS. Yes.
signature.asc
Description: OpenPGP digital signature
