[OpenAFS] OpenAFS using win2k DC for kerberos 5 authenticatio n

Neulinger, Nathan nneul@umr.edu
Wed, 9 Jan 2002 13:12:46 -0600


Yep. We're doing that partially now (just testing until we're ready to move
all of our unix clients and have all userids synced up).

All you need is krb524d running on a unix station configured to read the AFS
key for the version4 ticket from a different file. I can send you the diff
(it was sent to me) if you want it (or just grab umr-krb5.diff from
/afs/umr.edu/software/krb5src/.

The one I have causes krb524d to use the afs keyfile itself for the afs key,
and a separate keytab. That separates the two tickets. (Since you can't get
the keys out of the 2k DC that's really needed.)

-- Nathan

------------------------------------------------------------
Nathan Neulinger                       EMail:  nneul@umr.edu
University of Missouri - Rolla         Phone: (573) 341-4841
Computing Services                       Fax: (573) 341-4216


> -----Original Message-----
> From: Derek Atkins [mailto:warlord@MIT.EDU] 
> Sent: Wednesday, January 09, 2002 10:48 AM
> To: Dave Bailey
> Cc: 'openafs-info@openafs.org'
> Subject: Re: [OpenAFS] OpenAFS using win2k DC for kerberos 5 
> authentication
> 
> 
> That _should_ be sufficient.
> 
> -derek
> 
> Dave Bailey <D.Bailey@bristol.ac.uk> writes:
> 
> > Hi all,
> > 
> > We're looking at using Win2k active directory to centralise 
> out account
> > management. My question is, can the win2k domain controller 
> (acting as a
> > kerberos 5 KDC) be used to get AFS tokens in an analagous 
> way to using MIT
> > krb5? Is it just a case of getting a working krb524d 
> equivalent to run on
> > the domain controller or is it more subtle than that?
> > 
> > Cheers,
> > 	Dave
> >                                               __  _
> > David Bailey                              .-.'  `; `-._  __  _
> > Bristol University                       (_,         .-:'  `; `-._
> > Email: D.Bailey@Bristol.ac.uk          ,'o"(        (_,           )
> > Tel:   +44 117 9546879                (__,-'      ,'o"(     
>        )>
> > Fax:   +44 117 9255624                   (       (__,-'            )
> >                                           `-'._.--._(             )
> >                                              |||  |||`-'._.--._.-'
> >                                                         |||  |||
> > _______________________________________________
> > OpenAFS-info mailing list
> > OpenAFS-info@openafs.org
> > https://lists.openafs.org/mailman/listinfo/openafs-info
> 
> -- 
>        Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory
>        Member, MIT Student Information Processing Board  (SIPB)
>        URL: http://web.mit.edu/warlord/    PP-ASEL-IA     N1NWH
>        warlord@MIT.EDU                        PGP key available
> _______________________________________________
> OpenAFS-info mailing list
> OpenAFS-info@openafs.org
> https://lists.openafs.org/mailman/listinfo/openafs-info
>