[OpenAFS] Authenticating against krb5-only KDC (active directory)

Holger Brueckner lists@net-labs.de
22 Mar 2002 12:22:13 +0100

On Fri, 2002-03-22 at 02:54, Douglas E. Engert wrote:
> It would be afs/cell@k5realm
> This was originally designed to work with the Globus project which uses=20
> a GSSAPI mechanism built on top of SSL. But since it separates out the
> authentication (gssapi) from the AFS token generation, it can work with
> the Kerberos V5 GSSAPI. We have a couple of sites using this.=20
> It should work with MIT, Hiemdal, or even Martin Rex's WIN32 GSSAPI over =
> (I havenot triedall of these.)=20

[from the README]

The servers need a certificate, key, trusted certificates directory and
afsgrid-mapfile. These default to:
The common name in the certificate must be "afs/cellname". If more
then one server is being run in the cell on multiple AFS servers, they
share the certificate, key and afsgrid-mapfile. Thus for example the ANL
cell is using this certificate:
/C=3DUS/O=3DGlobus/O=3DArgonne National Laboratory/CN=3Dafs/anl.gov
You can get a certificate from the Globus CA, much as a gatekeeper
certificate today.
The afsgrid-mapfile allows the AFS admin to control access.
The file has a line for each user, which consists of the
certificate subject name, and the afs username, for example:
"/O=3DGrid/O=3DGlobus/OU=3Danl.gov/CN=3DJohn Doe" jdoe
More then one username can be added, seperated by commas. This lets the
select which username to use when authenticating with the certificate
For example:
"/O=3DGrid/O=3DGlobus/OU=3Danl.gov/CN=3DJohn Doe" jdoe,gridadmin

[readme end]

so this means normally i should generate a certificate for each user ?!?
well, this would make sense in a globus enviroment, but it's a lot of
overhead for a "normal" afs site.=20

btw. did anyone try to compile it on linux ?!?


Holger Br=FCckner