[OpenAFS] OpenAFS + MIT in an heterogenous network

Jerome Walter walter@efrei.fr
Mon, 30 Jun 2003 15:41:19 +0200 

Hi,

First of all, i am new in OpenAFS use and administration. I have to set up a
network in which Windows users and Unix users access the same shares being
authenticated. For this, what i read about AFS convinced me, having Kerberos
authentication working fine.

My first problem is to get the AFS working on my server. For testing purpose,
AFS and Kerberos servers are on the same machine, but they should move
shortly. How must i set up the AFS server to get the credentials the users has
obtained from the MIT KDC during the authentication process ? All the steps
and guides i found wasn't very clear about the settings to use without
kaserver or didn't work. For info, my server is GNU/Debian satble.

When i type aklog -d, hereis what i get :
walter@kerberos:~% aklog -d
Authenticating to cell users.es.efrei.fr (server kerberos.es.efrei.fr).
We've deduced that we need to authenticate to realm USERS.ES.EFREI.FR.
Getting tickets: afs/users.es.efrei.fr@USERS.ES.EFREI.FR
Kerberos error code returned by get_cred: -1765328228
aklog: Couldn't get users.es.efrei.fr AFS tickets:
aklog: Cannot contact any KDC for requested realm while getting AFS tickets

walter@kerberos:~% klist
Ticket cache: FILE:/tmp/krb5cc_1000
Default principal: walter@USERS.ES.EFREI.FR

Valid starting     Expires            Service principal
06/30/03 15:19:21  07/01/03 01:19:21
krbtgt/USERS.ES.EFREI.FR@USERS.ES.EFREI.FR
06/30/03 15:19:42  07/01/03 01:19:21  afs/users.es.efrei.fr@USERS.ES.EFREI.FR
06/30/03 15:19:50  07/01/03 01:19:21  krbtgt/ES.EFREI.FR@USERS.ES.EFREI.FR

Kerberos 4 ticket cache: /tmp/tkt1000
klist: You have no tickets cached

Is Kerberosv4 required ?



My second point comes from my Windows 2000 stations. Each workstation
authenticate against MIT KDC thanks to a one-way trust and so get credentials
from both USERS.ES.EFREI.FR (MIT Realm) and ES.EFREI.FR (AD Realm).
How can i set up my clients to use credentials from USERS.ES.EFREI.FR realm
and not AD one ? If impossible, how could i set the AD (Active Directory) to
get credentials for afs service ?


I acknowledge that afs commands and settings are quite dark for me, is there
anyone who could help me getting this to work for my university ?

TIA,

Best Regards

Jerome Walter

-- 
-+--   Jérôme Walter - 	I2 EFREI		          ----+-
 Equipe Système - Efrei Robotique - Jap'Efrei - Erasmus Tutors
 "The World is my country" - "Nihon no tomodachi desu"
EFREI System and Networking guide http://perso.efrei.fr/~walter/