[OpenAFS] AFS, MIT Krb5, W2k

Charles Clancy security@xauth.net
Fri, 19 Apr 2002 12:46:58 -0500 (CDT)


> Charles McIntyre <mcintyre@cats.ucsc.edu> writes:
>
> > Charles-
> >
> > We'd like to migrate to using OpenAFS, but I haven't found a way to
> > get an AFS token from the MS tgt.  If there is a way, we would
> > _really_ appreciate learning about it!
>
> I was told: ms2mit + aklog

ms2mit assumes you've logged into Windows normally, but authenticating
against an ADS server.  If that's the case, it will take your ADS
credentials and create an MIT-compatible TGT out of them, which can be
used by standard kerberized applications, such as aklog.

In your case, the TGT obtained by ms2mit would be for your ADS, not for
your other Kerberos realm.  If you set up a trust between ADS and the
kerberos realm, you should be able to use your ADS TGT to get a TGT on the
other kerberos realm, and consequently use aklog to get an AFS token.

However, if you get rid of your second Kerberos setup all together, and
just use ADS, you can dispose with most of your ducttape and superglue
that's in your current environment.  You'd have 1 place to store all
account information (except ptserver data, and nss data, of course --
unless you used ADS's LDAP interface to provide the nss), and no longer
need the complex synchronization.

[ t. charles clancy ]--[ tclancy@uiuc.edu ]--[ www.uiuc.edu/~tclancy ]