[OpenAFS] AFS, MIT Krb5, W2k

Charles Clancy security@xauth.net
Thu, 18 Apr 2002 17:56:14 -0500 (CDT)


> I get finally my AFS cell up with MIT Kerberos V authentication. This
> works pretty nice on my Linux machines, now I'd like to add my Win2k
> clients. What is the best and recommended way to get my Win2k clients
> see my AFS space, where authentication is done in Kerberos V? I would
> like *only* one user database - kerberos.

>From what I understand, Win2K won't let you directly do Kerberos
authentication without some sort of domain controller involved.  In
general, Kerberos can't keep track of all the information concerning users
that Microsoft wants.  It would be like trying to use AFS without the
ptserver.

The two solutions that seem to work are the following:

1. Set up an ADS domain that's independent of your MIT K5 and AFS.  Then
configure a cross-realm trust between your ADS pseudo-K5 and your MIT K5
realms.  Users can log into windows using their ADS password, and then get
get AFS tokens using their ADS TGT.

2. Skip the MIT K5 setup, and make AFS talk directly to ADS's pseudo-K5
interface.  This seems like the most robust and simple solution, if you
don't mind trusing servers running Win2K.  Linux clients should be able to
kinit against a Microsoft ADS realm without too much difficulty.

[ t charles clancy ]--[ tclancy@uiuc.edu ]--[ www.uiuc.edu/~tclancy ]