[OpenAFS] Openafs with a windows kerberos server

Horst Birthelmer horst@riback.net
Tue, 11 May 2004 15:38:59 +0200 

On Tuesday, May 11, 2004, at 03:21  PM, Davis, Adam wrote:

>
>
> -----Original Message-----
> From: Horst Birthelmer [mailto:horst@riback.net]
> Sent: 11 May 2004 13:42
> To: Davis, Adam
> Subject: Re: [OpenAFS] Openafs with a windows kerberos server
>
>
>
> On Tuesday, May 11, 2004, at 02:25  PM, Davis, Adam wrote:
>
>>
>>
>> Hi,
>>
>> I currently have openafs running on linux servers using the kaserver
>> for
>> authentication.
>>
>> We also currently use Active directory and would like openafs to be
>> able
>> to authenticate against the windows kerberos servers which we already
>> have in place rather then duplicating user details.
>>
>> Is this possible ? And if so is there any documentation available ?
>>
>
> It depends on what you mean by authenticate against the Windows server.
>
> Using Windows as KDC is also doable as well as using the "fakeka" which
> was implemented lately by Volker Lendecke into samba.
> You can use a samba server (which is joined to your domain) as a fake
> kaserver for generating tokens for windows clients connecting to this
> samba server. (note that these clients don't have a AFS client)
>
> It really depend on what environment you're using and what platform
> your clients are. If you're in an exclusively Microsoftish environment
> you don't have to install AFS clients on all of your client machines.
>
> Horst
>
> -----------------
> Hi,
>
> We have a Microsoft world and a separate UNIX world currently. The
> clients of the afs servers are all UNIX. I would like to have all
> authentication from the one location and unfortunately as the Windows
> Active Directory stuff is already in place I would have to integrate 
> the
> AFS stuff with that.
>

That was exactly my point. If you have some mixed environment the 
second solution with samba as "token generating machine" doesn't make 
sense.
Since you have some UNIX servers as well stick with the much cleaner 
Kerberos solution.

> The windows guys say they have a Kerberos 5 server "Kerberos V5 KDC" 
> and
> I have successfully set up some Linux machines to use it for Kerberos
> authentication. I already have some samba servers as well configured in
> the windows domain using it.
>

There are some howtos on the web on how to get Kerberos tickets from 
the Windows KDC and the generate AFS Tokens out of them. I don't really 
remember the page but google would help.

> I am not sure how I would go about getting AFS to use this !! How would
> I get it to handout afs tokens? What would you recommend. I am new to
> AFS and not sure what would be required to make this work.
>

I would recommend using the existing KDCs with AFS as well as AD and 
all that "neat stuff" which is already there. :-))
It just gets complicated if you're trying to grant your users access to 
data from AFS without wanting them to install AFS Clients on their 
machines.
If I'm getting you right you didn't want that.

Horst