[OpenAFS] Active Directory as KDC documentation

Justice, William (WJJ.) wjustice@ford.com
Wed, 9 Jun 2004 18:39:35 -0400 

This is a multi-part message in MIME format.

------_=_NextPart_001_01C44E72.A3DBD47D
Content-Type: text/plain;
	charset="us-ascii"
Content-Transfer-Encoding: quoted-printable

Jeff,

=20

Just making sure... so you don't need to run krb524 with the set up in
your last paragraph below?=20

-- Bill

=20

=20

-----Original Message-----
From: Jeffrey Altman [mailto:jaltman@columbia.edu]=20
Sent: Tuesday, June 08, 2004 10:36 AM
To: Justice, William (WJJ.)
Cc: openafs-info@openafs.org
Subject: Re: [OpenAFS] Active Directory as KDC documentation

=20

Justice, William (WJJ.) wrote:=20

Is there any documentation on using Active Directory as the KDC in an
OpenAFS installation?  Google gave some news group postings from a
couple of years ago, figure there is some more up to date info?

=20

Thanks!

=20

-- Bill=20

Things really have not changed all that much. =20
The primary issue with using Windows 20003 Active Directory as the KDC
is that Windows 2003 will not issue tickets using the DES-CBC-CBC
enctype.
It will issue tickets using the DES-CBC-MD5 enctype.  This is fine if
your are
using a krb524 service to translate your Kerberos 5 tickets to Kerberos
4 tickets
(not supported by Active Directory but you can host the MIT Kerberos
version
on the machine use keytabs); or if you are using gssklog (again you
would need
to add this but more importantly support for this is not integrated with
the=20
Windows AFS client.)

The long term direction is to internally support Kerberos 5 tickets as
AFS tokens
everywhere they are needed including the large tickets produced by
Active Directory.
This support is built into both the Windows versions and the Unix/Linux
version=20
as of 1.3.64.   Athough the Windows version is the recommended product
to use
because it is the best we have; the Unix/Linux 1.3 branch is still
considered a development
branch and you would need to think long and hard before using it.

The way that I have setup my cells for use with Active Directory is that
I have an
MIT KDC which stores the service principal for the AFS cell.  Then there
is a cross-realm
trust between Active Directory and the MIT realm.   Therefore, I can
force the=20
service tickets to be DES-CBC-CRC and be of small enough size to be used
directly
with the 1.2.11 AFS servers while still using pure Kerberos 5.

Jeffrey Altman




------_=_NextPart_001_01C44E72.A3DBD47D
Content-Type: text/html;
	charset="us-ascii"
Content-Transfer-Encoding: quoted-printable

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>

<head>
<META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; =
charset=3Dus-ascii">


<meta name=3DGenerator content=3D"Microsoft Word 10 (filtered)">

<style>
<!--
 /* Font Definitions */
 @font-face
	{font-family:Tahoma;
	panose-1:2 11 6 4 3 5 4 4 2 4;}
 /* Style Definitions */
 p.MsoNormal, li.MsoNormal, div.MsoNormal
	{margin:0in;
	margin-bottom:.0001pt;
	font-size:10.0pt;
	font-family:"Times New Roman";
	color:black;}
a:link, span.MsoHyperlink
	{color:blue;
	text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
	{color:#606420;
	text-decoration:underline;}
pre
	{margin:0in;
	margin-bottom:.0001pt;
	font-size:10.0pt;
	font-family:"Courier New";
	color:black;}
span.emailstyle17
	{font-family:Arial;
	color:windowtext;}
span.EmailStyle19
	{font-family:Arial;
	color:navy;}
@page Section1
	{size:8.5in 11.0in;
	margin:1.0in 1.0in 1.0in 1.0in;}
div.Section1
	{page:Section1;}
-->
</style>

</head>

<body bgcolor=3Dwhite lang=3DEN-US link=3Dblue vlink=3D"#606420">

<div class=3DSection1>

<p class=3DMsoNormal><font size=3D2 color=3Dnavy face=3DArial><span =
style=3D'font-size:
10.0pt;font-family:Arial;color:navy'>Jeff,</span></font></p>

<p class=3DMsoNormal><font size=3D2 color=3Dnavy face=3DArial><span =
style=3D'font-size:
10.0pt;font-family:Arial;color:navy'>&nbsp;</span></font></p>

<p class=3DMsoNormal><font size=3D2 color=3Dnavy face=3DArial><span =
style=3D'font-size:
10.0pt;font-family:Arial;color:navy'>Just making sure&#8230; so you =
don't need
to run krb524 with the set up in your last paragraph below? =
</span></font></p>

<div><pre><font size=3D2 color=3Dblack face=3D"Courier New"><span =
style=3D'font-size:
10.0pt'>-- Bill</span></font></pre></div>

<p class=3DMsoNormal><font size=3D2 color=3Dblack face=3DTahoma><span =
style=3D'font-size:
10.0pt;font-family:Tahoma;color:windowtext'>&nbsp;</span></font></p>

<p class=3DMsoNormal><font size=3D2 color=3Dblack face=3DTahoma><span =
style=3D'font-size:
10.0pt;font-family:Tahoma;color:windowtext'>&nbsp;</span></font></p>

<p class=3DMsoNormal><font size=3D2 color=3Dblack face=3DTahoma><span =
style=3D'font-size:
10.0pt;font-family:Tahoma;color:windowtext'>-----Original =
Message-----<br>
<b><span style=3D'font-weight:bold'>From:</span></b> Jeffrey Altman
[mailto:jaltman@columbia.edu] <br>
<b><span style=3D'font-weight:bold'>Sent:</span></b> </span></font><font =
color=3Dblack face=3DTahoma><span =
style=3D'font-family:Tahoma;color:windowtext'>Tuesday,
 June 08, 2004</span></font><font color=3Dblack face=3DTahoma><span
style=3D'font-family:Tahoma;color:windowtext'> </span></font><font
 color=3Dblack face=3DTahoma><span =
style=3D'font-family:Tahoma;color:windowtext'>10:36
 AM</span></font><font color=3Dblack face=3DTahoma><span =
style=3D'font-family:Tahoma;
color:windowtext'><br>
<b><span style=3D'font-weight:bold'>To:</span></b> </span></font><font
 color=3Dblack face=3DTahoma><span =
style=3D'font-family:Tahoma;color:windowtext'>Justice,
 William</span></font><font color=3Dblack face=3DTahoma><span =
style=3D'font-family:
Tahoma;color:windowtext'> (WJJ.)<br>
<b><span style=3D'font-weight:bold'>Cc:</span></b> =
openafs-info@openafs.org<br>
<b><span style=3D'font-weight:bold'>Subject:</span></b> Re: [OpenAFS] =
Active
Directory as KDC documentation</span></font></p>

<p class=3DMsoNormal><font size=3D2 color=3Dblack face=3D"Times New =
Roman"><span
style=3D'font-size:10.0pt'>&nbsp;</span></font></p>

<p class=3DMsoNormal><font size=3D2 color=3Dblack face=3D"Times New =
Roman"><span
style=3D'font-size:10.0pt'>Justice, William (WJJ.) wrote: =
</span></font></p>

<p class=3DMsoNormal><font size=3D2 color=3Dblack face=3DArial><span =
style=3D'font-size:
10.0pt;font-family:Arial'>Is there any documentation on using Active =
Directory
as the KDC in an OpenAFS installation?&nbsp; Google gave some news group
postings from a couple of years ago, figure there is some more up to =
date info?</span></font></p>

<p class=3DMsoNormal><font size=3D2 color=3Dblack face=3DArial><span =
style=3D'font-size:
10.0pt;font-family:Arial'>&nbsp;</span></font></p>

<p class=3DMsoNormal><font size=3D2 color=3Dblack face=3DArial><span =
style=3D'font-size:
10.0pt;font-family:Arial'>Thanks!</span></font></p>

<p class=3DMsoNormal><font size=3D2 color=3Dblack face=3DArial><span =
style=3D'font-size:
10.0pt;font-family:Arial'>&nbsp;</span></font></p>

<pre><font size=3D2 color=3Dblack face=3D"Courier New"><span =
style=3D'font-size:10.0pt'>-- Bill </span></font></pre>

<p class=3DMsoNormal style=3D'margin-bottom:12.0pt'><font size=3D3 =
color=3Dblack
face=3D"Times New Roman"><span style=3D'font-size:12.0pt'>Things really =
have not
changed all that much.&nbsp; <br>
The primary issue with using Windows 20003 Active Directory as the =
KDC<br>
is that Windows 2003 will not issue tickets using the DES-CBC-CBC =
enctype.<br>
It will issue tickets using the DES-CBC-MD5 enctype.&nbsp; This is fine =
if your
are<br>
using a krb524 service to translate your Kerberos 5 tickets to Kerberos =
4
tickets<br>
(not supported by Active Directory but you can host the MIT Kerberos =
version<br>
on the machine use keytabs); or if you are using gssklog (again you =
would need<br>
to add this but more importantly support for this is not integrated with =
the <br>
Windows AFS client.)<br>
<br>
The long term direction is to internally support Kerberos 5 tickets as =
AFS
tokens<br>
everywhere they are needed including the large tickets produced by =
Active
Directory.<br>
This support is built into both the Windows versions and the Unix/Linux =
version
<br>
as of 1.3.64.&nbsp;&nbsp; Athough the Windows version is the recommended
product to use<br>
because it is the best we have; the Unix/Linux 1.3 branch is still =
considered a
development<br>
branch and you would need to think long and hard before using it.<br>
<br>
The way that I have setup my cells for use with Active Directory is that =
I have
an<br>
MIT KDC which stores the service principal for the AFS cell.&nbsp; Then =
there
is a cross-realm<br>
trust between Active Directory and the MIT realm.&nbsp;&nbsp; Therefore, =
I can
force the <br>
service tickets to be DES-CBC-CRC and be of small enough size to be used
directly<br>
with the 1.2.11 AFS servers while still using pure Kerberos 5.<br>
<br>
Jeffrey Altman<br>
<br>
</span></font></p>

</div>

</body>

</html>

------_=_NextPart_001_01C44E72.A3DBD47D--