[OpenAFS] Borderline offtopic: OpenAFS as ~ for Samba AD?

Måns Nilsson mansaxel@besserwisser.org
Sat, 15 Feb 2020 13:55:41 +0100

Subject: Re: [OpenAFS] Borderline offtopic: OpenAFS as ~ for Samba AD? Date: Mon, Jan 20, 2020 at 04:42:24PM -0500 Quoting Jeffrey E Altman (jaltman@auristor.com):
> No need for cross-realm.  Create an afs/cell@SAMBA4.REALM service principal
> with a kvno
> that differs from the afs/cell@HEIMDAL.REALM service principal and add the
> key to your
> AFS servers as well as adding both realm names to the AFS servers' krb.conf.


I've finally mustered enough bravery to tackle this.  Would proper DNS
find-a-bility for Kerberos serve as complete substitute for "as adding
both realm names to the AFS servers' krb.conf" ?

I've added the afs/cell@SAMBA4.REALM principals, with identical keytypes
and different kvno to the rxkad.keytab on all my servers, restarted
processes on them.

After having fixed the krb5.conf for Heimdal on the Windows clients to
point to the right domain, I can login without delay.

I've mapped my home directory in AFS to H:\ and that's where I end up
when logging in, and I have a token issued for user@SAMBA4.REALM in my
cell. But it is not giving me any rights.  

I suspect I must map my SAMBA4.REALM user to rights management in my cell,
some way. Or is there some magic I'm missing?

I've tried adding user@samba4.realm to various pts entities like groups
and the list of users, but no such luck; I'get error messages
(no such user for group or acl membership, "badly formed name" for
user creation). I'm on way too old software versions in my cell, of
course. Would upgrading help?

Most gratefully, 
Måns Nilsson     primary/secondary/besserwisser/machina
MN-1334-RIPE           SA0XLR            +46 705 989668
I appoint you ambassador to Fantasy Island!!!