[OpenAFS] AFS, MIT Krb5, W2k

Charles Clancy security@xauth.net
Thu, 18 Apr 2002 20:40:33 -0500 (CDT)


> > From what I understand, Win2K won't let you directly do Kerberos
> > authentication without some sort of domain controller involved.  In
> > general, Kerberos can't keep track of all the information concerning users
> > that Microsoft wants.  It would be like trying to use AFS without the
> > ptserver.
>
> That's not true. You can tell your box to do krb5 without ADS. However,
> you have to have the userids exist locally, and just set a mapping from
> krb5 userid to local userid.
>
> Look up the krb5 interop white paper from microsoft for instructions.
> Ksetup is the tool - something like 'ksetup /addkdc realm.org
> kdc.realm.org' and then something else with ksetup to map the users.

Right -- you can create a local user, like "afsuser", and then all
Kerberos users logging in can be mapped to use his profile and have his
access to the local filesystem.  Or, you could create individual local
accounts for every AFS user, or even configure something half way between
those two cases.  While the first case may be "manageable" in a
large-scale environment (just requires some extra initial configuration),
the others certainly aren't.

[ t. charles clancy ]--[ tclancy@uiuc.edu ]--[ www.uiuc.edu/~tclancy ]