[OpenAFS] Windows 2000 + openafs integration
Douglas E. Engert
deengert@anl.gov
Thu, 21 Aug 2003 09:27:04 -0500
Andréas Kühne wrote:
>
> Hi all,
>
> I have been looking through the archives and the Internet in general for information about integration of OpenAFS and Windows 2000.
>
> What I want to do is the following:
>
> I have a WIndows 2000 domain that is spread over 3 sites (connected via a 2Mbit/s WAN). All of the files are currently located at our Stockholm branch. Because of the speed of our links I would like to place an OpenAFS server at each site and spread our files via AFS.
>
> All of our clients are running windows 2000, with domain account (password change every 2 months). This means that we would have to change the passwords on the OpenAFS machines as well.
>
> What I would like to do is use the Windows 2000 Kerberos 5 service to authenticate the OpenAFS accounts against Active Directory. 2 questions:
>
> 1. Is this possible?
Yes. There are a number of way including the aklog, and the gssklog. We are moving towards
the gssklog for a number of reasons.
The gssklog running on a W2K client in a domain can
can use the user's login credentials via the Microsoft SSPI.
It can also use the MIT GSSAPI (gssapi32.dll), and will
try both looking for credentials.
It does not require any Kerberos code on W2k to build.
This greatly reduces the complexity of building and using
this package. (The gssklogd still needs to run on a Unix system.)
The gssklog client can also run on Unix.
See:
ftp://achilles.ctd.anl.gov/pub/DEE/README.GSSKLOG
ftp://achilles.ctd.anl.gov/pub/DEE/gssklog-0.8.tar
> 2. If so, how do I configure openAFS to authenticate against the Kerberos 5 service?
See the readme above.
>
> Regards,
>
> Andréas
> _______________________________________________
> OpenAFS-info mailing list
> OpenAFS-info@openafs.org
> https://lists.openafs.org/mailman/listinfo/openafs-info
--
Douglas E. Engert <DEEngert@anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444