[OpenAFS] AFS, MIT Krb5, W2k
Nathan Neulinger
nneul@umr.edu
Thu, 18 Apr 2002 20:08:03 -0500
Charles Clancy wrote:
>
> > I get finally my AFS cell up with MIT Kerberos V authentication. This
> > works pretty nice on my Linux machines, now I'd like to add my Win2k
> > clients. What is the best and recommended way to get my Win2k clients
> > see my AFS space, where authentication is done in Kerberos V? I would
> > like *only* one user database - kerberos.
>
> From what I understand, Win2K won't let you directly do Kerberos
> authentication without some sort of domain controller involved. In
> general, Kerberos can't keep track of all the information concerning users
> that Microsoft wants. It would be like trying to use AFS without the
> ptserver.
That's not true. You can tell your box to do krb5 without ADS. However,
you have to have the userids exist locally, and just set a mapping from
krb5 userid to local userid.
Look up the krb5 interop white paper from microsoft for instructions.
Ksetup is the tool - something like 'ksetup /addkdc realm.org
kdc.realm.org' and then something else with ksetup to map the users.
-- Nathan
------------------------------------------------------------
Nathan Neulinger EMail: nneul@umr.edu
University of Missouri - Rolla Phone: (573) 341-4841
Computing Services Fax: (573) 341-4216