[OpenAFS] Openafs with a windows kerberos server

Douglas E. Engert deengert@anl.gov
Tue, 11 May 2004 09:43:20 -0500 

"Davis, Adam" wrote:
> 
> Hi,
> 
> I currently have openafs running on linux servers using the kaserver for
> authentication.
> 
> We also currently use Active directory and would like openafs to be able
> to authenticate against the windows kerberos servers which we already
> have in place rather then duplicating user details.
> 
> Is this possible ? And if so is there any documentation available ?

Yes it is possible we do that today All of our ADs are now 2003. 
Windows uses Kerberos V5 under the covers, and the AD will respond to 
UDP and TCP requests to port 88 and return Kerberos V5 tickets. Note 
that these tickets may be large due to the fact that Microsoft adds the 
PAC into the ticket. (Microsoft has promissed us a hotfix for the
size problem so that a service ticket sould be produced without the PAC,
and we are still waiting for this.)

OpenAFS is moving to be able to use these tickets directly as an AFS token.
Support for large tickets and des-cbc-md5 has been added to the OpenAFS
CVS. 

You can also use many of the conversion utilities to use the V5 ticket to 
get a V4 ticket which can be used by AFS as a token. These don't have
the size problem, as the krrb524d can strip the PAC, and use
des-cbc-crc for the V4 ticket. These utilizes usually require a krb524d 
or other daemon to be running. 

The MIT Kerberos for Windows has full support for all of this and
works well with OpenAFS on Windows.  

On a Unix machine you will need a aklog or gssklog to convert 
from V5 to V4. You should also be running a Kerberos that 
supports the Kerberos protocol over TCP, as the Windows 2003 ADs
will require this if a user is in many windows groups, i.e. the PAC
gets to large for UDP.    

In addition to the  

 http://web.mit.edu/kerberos/kfw-2.6/kfw-2.6.1/relnotes.html

Also see 
ftp://achilles.ctd.anl.gov/pub/DEE/README.GSSKLOG
ftp://achilles.ctd.anl.gov/pub/DEE/README.MSKLOG

whuich can give you some clues as to how to setup the Windows side. 


> 
> Thank you
> 
> Adam..
> _______________________________________________
> OpenAFS-info mailing list
> OpenAFS-info@openafs.org
> https://lists.openafs.org/mailman/listinfo/openafs-info

-- 

 Douglas E. Engert  <DEEngert@anl.gov>
 Argonne National Laboratory
 9700 South Cass Avenue
 Argonne, Illinois  60439 
 (630) 252-5444