[OpenAFS] Using W2k domain controller to access AFS server

[Ted Anderson]

On Thu, 28 Mar 2002 14:17:36 -0800 "Michael Lasevich" <openafslist@lasevich.net> wrote:
> I assume I need to connect AFS authentication to Win2k server somehow,
> but I am not sure how. If you can point out what I am missing or at
> least where to look, I'd appreciate it. I am sure I am not the first
> to try this, maybe there is a AFS-Win2k-KDC howto out there?

While not yet a HOWTO, the AFSLore Wiki has a page on this subject[1].
It would be useful to convert this page from a list of references to
something more like an actual HOWTO.  If/when you get this working,
consider contributing your experiences to this page.

> Also, Is there a good on-line reference manual as to how kerberos and
> openAFS works? I feel like I am missing some of the basics behind
> these beasts. Retyping commands from howto's, etc. is all well and
> nice when you are in a pinch, but I would really like to understand
> what i am doing.

There are numerous references on Kerberos.  The AFSLore KerberosV page
recommends this FAQ[2].  I don't know of a good description of how the
AFS RPC system, called Rx, uses Kerberos tickets (which AFS calls
tokens) to authenticate RPCs.  The code is in the rxkad source
directory.  But understanding the general Kerberos theory of
authenticating applications will get you most of the way there.  Mapping
from a UDP service model to one based on RPC isn't too hard.

Ted Anderson

[1] http://grand.central.org/twiki/bin/view/AFSLore/ActiveDirectory
[2] http://www.nrl.navy.mil/CCS/people/kenh/kerberos-faq.html