[OpenAFS] AFS, MIT Krb5, W2k

Charles McIntyre mcintyre@cats.ucsc.edu
Fri, 19 Apr 2002 10:20:35 -0700 

Charles-

I'm curious about the setup with your first example.  Here at UCSC, we've 
setup our lab PCs (W2K) to trust the campus MIT K5 server.  We sync all the 
active users into AD 6x a day, so the students can log into the lab PCs 
using their campus accounts (Kerb principals) and password.  In order to 
get AFS on the desktop, we've borrowed some code written by Stanford and 
added some duct tape and bailing wire to adapt it to our 
environment.  Stanford has an app they wrote called PC-Leland.  You can set 
it to grab the username and password from the GINA and get a tgt from the 
MIT K5 server.  Then their modified TransArc AFS client looks in the 
PC-Leland cache, and gets a token for the logged in user.  Our duct tape 
and bailing wire awks the campus authoritative passwd file to get the 
user's unique home directory and creates a shortcut on the desktop that 
mounts to that path.

We'd like to migrate to using OpenAFS, but I haven't found a way to get an 
AFS token from the MS tgt.  If there is a way, we would _really_ appreciate 
learning about it!

Thanks!

Charles McIntyre


 >Date: Thu, 18 Apr 2002 17:56:14 -0500 (CDT)
 >From: Charles Clancy <security@xauth.net>
 >To: David Hajek <hajek@systinet.com>
 >Cc: openafs-info@openafs.org
 >Subject: Re: [OpenAFS] AFS, MIT Krb5, W2k
 >
 >> I get finally my AFS cell up with MIT Kerberos V authentication. This
 >> works pretty nice on my Linux machines, now I'd like to add my Win2k
 >> clients. What is the best and recommended way to get my Win2k clients
 >> see my AFS space, where authentication is done in Kerberos V? I would
 >> like *only* one user database - kerberos.
 >
 >>From what I understand, Win2K won't let you directly do Kerberos
 >authentication without some sort of domain controller involved.  In
 >general, Kerberos can't keep track of all the information concerning users
 >that Microsoft wants.  It would be like trying to use AFS without the
 >ptserver.
 >
 >The two solutions that seem to work are the following:
 >
 >1. Set up an ADS domain that's independent of your MIT K5 and AFS.  Then
 >configure a cross-realm trust between your ADS pseudo-K5 and your MIT K5
 >realms.  Users can log into windows using their ADS password, and then get
 >get AFS tokens using their ADS TGT.
 >
 >2. Skip the MIT K5 setup, and make AFS talk directly to ADS's pseudo-K5
 >interface.  This seems like the most robust and simple solution, if you
 >don't mind trusing servers running Win2K.  Linux clients should be able to
 >kinit against a Microsoft ADS realm without too much difficulty.
 >
 >[ t charles clancy ]--[ tclancy@uiuc.edu ]--[ www.uiuc.edu/~tclancy ]
 >



___________________________

Charles McIntyre
PC/UNIX Systems Engineer
Instructional Computing, UCSC
ph: 831/459-5746

got a question? see http://ic.ucsc.edu/help