[OpenAFS] Kerberos Ticket Sizes when using AD as the KDC and
OpenAFS
ted creedon
tcreedon@easystreet.com
Thu, 26 Jan 2006 14:15:51 -0800
1. Is the AFS service ticket the only thing needed to make an afs token?
2. I.e. does pts handle all the afs permissions from then on?
3. can "kinit admin" now authenticate to AD instead of a krb5 server?
thanks
tedc
Douglas E. Engert wrote:
>
>
> ted creedon wrote:
>> What happens to non service tickets?
>
> Not sure what you mean. The user's PAC is added to the initial TGT for
> the user
> then copied to service tickets and cross-realm TGTs and the service
> ticket for AFS.
>
> The NO_AUTH_REQUIRED bit would only be set on the account for the AFS
> server
> principal in AD, then when a service ticket is created for AFS the AD
> KDC will
> not copy the user's PAC to the AFS service ticket.
>
> Tickets for other services will still get a PAC.
>
> Since the AFS cache manager has some 12000 byte limits on the size of
> the ticket, and it does not use the PAC anyway, telling the KDC to
> not send
> the PAC to AFS means AFS does not have to deal with user is lots of AD
> groups.
>
>
>
>> tedc
>>
>> Douglas E. Engert wrote:
>>
>>> From the article:
>>>
>>> "New resolution for problems that occur when users belong to many
>>> groups"
>>> http://support.microsoft.com/?kbid=327825
>>>
>>> It looks like XP and W2003 no longer have a max_token_size limit,
>>> and thus
>>> the size of a ticket could now be above 12,000 bytes.
>>>
>>> So for any sites that use Active Directory as the KDC and OpenAFS,
>>> keep this folloeing option in mind for the afs/cell@realm principal
>>>
>>> "An update is available that introduces the NO_AUTH_REQUIRED flag to
>>> the UserAccountControl property in Windows Server 2003 and in
>>> Windows 2000"
>>> http://support.microsoft.com/kb/832572
>>>
>>>
>> _______________________________________________
>> OpenAFS-info mailing list
>> OpenAFS-info@openafs.org
>> https://lists.openafs.org/mailman/listinfo/openafs-info
>>
>>
>