[OpenAFS] Windows AD + openafs integration

Christopher D. Clausen cclausen@acm.org
Tue, 27 Jun 2006 13:05:24 -0500

Sean Kennedy <skennedy@tpno-co.org> wrote:
> What I'd like to do is have openafs auth against my AD domain, going
> so far as to dynamically create afs accounts based off of AD
> accounts.  Is this possible?

If you were to treat AD as a foreign realm, yes, user accounts could be 
auto-created.  I would not recomend this though, as you would have no 
way to put users into groups before their accounts were created or 
otherwise add them to ACLs.  I.e. users would need to login and obtain 
AFS tokens before they could be put on ACLs.  This would make it very 
hard to setup user home directories or other file shares, assuming you 
wanted to rely upon more than just the system:authusers group.

> So in my ideal setup, I wouldn't have to pre-create a user for afs if
> they already exist in my AD tree.  Instead, on first log in, the
> account is automatically created.  Further, the username/password
> info would be taken directly from the AD tree.  This way, when a
> password changes, it doesn't need to be changed in the afs tree as
> well.

Its possible to use AD as Kerberos realm and obtain Kerberos tickets and 
then AFS tokens from AD.  Just create an AFS service principal in AD and 
use the proper ktadd.exe command to extract a keytab and then asetkey 
the keytab into the AFS KeyFile.

> I could get by with having to hand create the accounts in afs if I
> could get auth working against AD.

I'd strongly recomend doing this instead.  There have been several posts 
on using AD as a KDC for AFS.  Look through the archives.

Christopher D. Clausen