[OpenAFS] AFS, MIT Krb5, W2k

Nathan Neulinger nneul@umr.edu
Thu, 18 Apr 2002 20:08:03 -0500


Charles Clancy wrote:
> 
> > I get finally my AFS cell up with MIT Kerberos V authentication. This
> > works pretty nice on my Linux machines, now I'd like to add my Win2k
> > clients. What is the best and recommended way to get my Win2k clients
> > see my AFS space, where authentication is done in Kerberos V? I would
> > like *only* one user database - kerberos.
> 
> From what I understand, Win2K won't let you directly do Kerberos
> authentication without some sort of domain controller involved.  In
> general, Kerberos can't keep track of all the information concerning users
> that Microsoft wants.  It would be like trying to use AFS without the
> ptserver.

That's not true. You can tell your box to do krb5 without ADS. However,
you have to have the userids exist locally, and just set a mapping from
krb5 userid to local userid.

Look up the krb5 interop white paper from microsoft for instructions.
Ksetup is the tool - something like 'ksetup /addkdc realm.org
kdc.realm.org' and then something else with ksetup to map the users.


-- Nathan

------------------------------------------------------------
Nathan Neulinger                       EMail:  nneul@umr.edu
University of Missouri - Rolla         Phone: (573) 341-4841
Computing Services                       Fax: (573) 341-4216