[OpenAFS] Active Directory as KDC documentation

Douglas E. Engert deengert@anl.gov
Tue, 08 Jun 2004 16:21:37 -0500 

<!doctype html public "-//w3c//dtd html 4.0 transitional//en">
<html>
<body link="#0000FF" vlink="#606420" lang="EN-US">
&nbsp;
<p>"Justice, William (WJJ.)" wrote:
<blockquote TYPE=CITE><style>
<!--
 /* Style Definitions */
 p.MsoNormal, li.MsoNormal, div.MsoNormal
	{margin:0in;
	margin-bottom:.0001pt;
	font-size:10.0pt;
	font-family:"Times New Roman";}
a:link, span.MsoHyperlink
	{color:blue;
	text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
	{color:#606420;
	text-decoration:underline;}
pre
	{margin:0in;
	margin-bottom:.0001pt;
	font-size:10.0pt;
	font-family:"Courier New";}
span.EmailStyle17
	{font-family:Arial;
	color:windowtext;}
@page Section1
	{size:8.5in 11.0in;
	margin:1.0in 1.0in 1.0in 1.0in;}
div.Section1
	{page:Section1;}
-->
</style>

<div class=Section1>
<div class="MsoNormal"><span style='font-size:10.0pt;
font-family:Arial'><font face="Arial"><font size=-1>Is
there any documentation on using Active Directory as the KDC in an OpenAFS
installation?&nbsp; Google gave some news group postings from a couple
of years ago, figure there is some more up to date info?</font></font></span></div>

<div class="MsoNormal"><font face="Arial"><font size=-1></font></font></div>


<p class="MsoNormal"><font face="Arial"><font size=-1>Jeff covered this
very well.&nbsp; I would like to add that we are running modified OpenAFS
1.2.11</font></font>
<div class="MsoNormal"><font face="Arial"><font size=-1>servers that understand
the MD5 and large packets. Most users are in&nbsp; Windows 2003 AD</font></font></div>

<div class="MsoNormal"><font face="Arial"><font size=-1>and the Domain
name is the same as the AFS cell name. So there does not need to be any</font></font></div>

<div class="MsoNormal"><font face="Arial"><font size=-1>mapping of principals
or other conversions.</font></font></div>

<div class="MsoNormal"><font face="Arial"><font size=-1></font></font></div>


<p class="MsoNormal"><font face="Arial"><font size=-1>The reason we put
the mods into 1.2.11 rather then waiting for 1.3.x on the servers was that</font></font>
<div class="MsoNormal"><font face="Arial"><font size=-1>the KfW and&nbsp;
OpenAFS on the PC by default may try and get a token&nbsp; that can be
used</font></font></div>

<div class="MsoNormal"><font face="Arial"><font size=-1>directly without
going through&nbsp; aklog or having the user use&nbsp; gssklog on te PC.
The token</font></font></div>

<div class="MsoNormal"><font face="Arial"><font size=-1>looks good,&nbsp;
but the server can not handle it.</font></font></div>

<div class="MsoNormal"><font face="Arial"><font size=-1></font></font></div>


<p class="MsoNormal"><font face="Arial"><font size=-1>Unix uses continue
to use ak5log or gssklog to get tokens, which&nbsp; allows krb524d or gssklogd
to</font></font>
<div class="MsoNormal"><font face="Arial"><font size=-1>rebuild the token,
discard the Microsoft&nbsp; PAC, and change the enctype. Thus old unix
clients can</font></font></div>

<div class="MsoNormal"><font face="Arial"><font size=-1>run as before.</font></font></div>

<div class="MsoNormal"><font face="Arial"><font size=-1></font></font></div>&nbsp;

<div class="MsoNormal"><font face="Arial"><font size=-1></font></font></div>


<p class="MsoNormal"><font face="Arial"><font size=-1>&nbsp;&nbsp;</font></font>
<div class="MsoNormal"><font face="Arial"><font size=-1></font></font></div>&nbsp;

<div class="MsoNormal"><font face="Arial"><font size=-1></font></font></div>&nbsp;

<div class="MsoNormal"><font face="Arial"><font size=-1></font></font></div>&nbsp;

<div class="MsoNormal"><font face="Arial"><font size=-1></font></font></div>


<p class="MsoNormal"><font face="Arial"><font size=-1>&nbsp;</font></font>
<div class="MsoNormal"><font face="Arial"><font size=-1></font></font></div>&nbsp;

<div class="MsoNormal"><font face="Arial"><font size=-1></font></font></div>&nbsp;

<div class="MsoNormal"><font face="Arial"><font size=-1></font></font></div>&nbsp;


<p class="MsoNormal"><span style='font-size:10.0pt;
font-family:Arial'></span>

<p class="MsoNormal"><span style='font-size:10.0pt;
font-family:Arial'><font face="Arial"><font size=-1>Thanks!</font></font></span>

<p class="MsoNormal"><span style='font-size:10.0pt;
font-family:Arial'></span>
<pre><span style='font-size:10.0pt'><font face="Courier New"><font size=-1>-- Bill&nbsp;</font></font>



</span></pre>

<div class="MsoNormal"><span style='font-size:
10.0pt'></span></div>
</div>
</blockquote>

<p>--
<p>&nbsp;Douglas E. Engert&nbsp; &lt;DEEngert@anl.gov>
<br>&nbsp;Argonne National Laboratory
<br>&nbsp;9700 South Cass Avenue
<br>&nbsp;Argonne, Illinois&nbsp; 60439
<br>&nbsp;(630) 252-5444
<br>&nbsp;
</body>
</html>