The service principal details are fuzzy now – we haven’t touched them in a long time – but we use a krb.conf to specify two authentication realms, neither of which matches the cell name. MIT KDC and Active Directory, with non-overlapping principal names. It works great, and the only issue getting it set up was explaining to the AD Domain admins why we needed this strange afs/[email protected]<mailto:afs/[email protected]> entry, and get them to promise not to expire it like other special service accounts we have.
Richard From: [email protected] <[email protected]> on behalf of Ken Hornstein <[email protected]> Date: Wednesday, August 24, 2022 at 9:22 PM To: Benjamin Kaduk <[email protected]> Cc: Ben Huntsman <[email protected]>, [email protected] <[email protected]> Subject: Re: [OpenAFS] Kerberos + Windows >On Wed, Aug 24, 2022 at 04:53:11PM +0000, Ben Huntsman wrote: >> ktpass /princ afs/[email protected] /mapuser srvAFS /mapop add >> /out rxkad.keytab +rndpass /crypto all /ptype KRB5_NT_PRINCIPAL +dumpsalt > >When the name of the AFS cell does not match the name of the kerberos >realm, the OpenAFS configuration needs to include a krb.conf file to >specify the realm the AFS servers use for authentication. Note that this >is completely different from the kerberos krb5.conf file and lives in a >different location. Ooof, I totally missed that. Yes, that would do it. --Ken _______________________________________________ OpenAFS-info mailing list [email protected] https://lists.openafs.org/mailman/listinfo/openafs-info
