[OpenAFS] Active Directory Kerberos ticket allowing to access OpenAFS cell?

Douglas E. Engert deengert@anl.gov
Wed, 02 Nov 2011 14:01:26 -0500

On 11/2/2011 11:17 AM, stasheck wrote:
> Hi,
> I'm still trying to solve some issues regarding proper integration of
> ActiveDirectory into our IT environment. One thing I learned, it's
> impossible to forgo AD Kerberos for MIT Kerberos. Now, I cannot resign
> from MIT Kerberos, so I need some workarounds.

When you say "Impossible to forgo AD Kerberos for MIT Kerberos."
do you mean Windows machine and uses require AD accounts. Which is
true. AD uses Krb5, and adds a PAC to the Krb5 tickets.

I don't know what you mean by "I cannot resign".

I would also assume that the AD domain name is *NOT* the same as the
MIT Kerberos realm name. If they are, this is going to be a major
conversion. (The afs cell name could match either one, or be different
from both.)

> First, I'm going to block password change from Windows boxes and force
> everyone to change their password on MIT Kerboros - because I can sync
> that to AD.

There should be no reason that the password have to be in sync.

> Second problem/idea is to create SingleSignOn to OpenAFS just by
> logging into Windows account.

Yes, do it all the time. See the KfW or the Network Identity Manager
from Secure-endpoints.
http://www.secure-endpoints.com/#Network Identity Manager

> I've seen bits of pieces that would suggest that it's possible, but I
> still can't wrap my head around it.
> What I know, what I need:
> - all users have account both in Active Directory domain, and in MIT
> Kerberos (another domain) (check)
> - I can form mutual trust relationship between MIT and AD (did that to
> test some previous ideas)
> - a user logs into AD domain, and gets AD Kerberos ticket (but I don't
> know if there's any way to use this ticket to other services?)

See Network Identity Manager above.

> Is there any way to use AD ticket to get into MIT-based AFS?

Yes cross realm, or since you are trying to sync passwords between the two,
that implies a user in one realm is the same user in the other realm.
As Andrew said in his note, the AFS cell could be in both realms
at the same time. (There might be some issues as to how a client
determines the default Kerberos realm of the afs cell.)

> /br
> Stan
> PS. I just stumbled on a very interesting article:
> https://twiki.cern.ch/twiki/bin/view/AFSService/UnifiedKerberos but I
> cannot read any links - I don't have a CERN account. I believe that
> some people here work at CERN, would somebody be so kind and share the
> documents linked from this one? Many thanks.
> _______________________________________________
> OpenAFS-info mailing list
> OpenAFS-info@openafs.org
> https://lists.openafs.org/mailman/listinfo/openafs-info


  Douglas E. Engert  <DEEngert@anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444