[OpenAFS] mutimaster AD model and cross-realm

Dean Knape knape@njit.edu
Wed, 11 May 2005 16:03:58 -0400

Jeffrey Altman wrote:
> Lars Schimmer wrote:
>>Chris Huebsch wrote:
>>>>>I want to setup a domain with a win2003 server and clients. Under NT I
>>>>>can setup
>>>>>the windows-homes to a samba drive. If I can do that with win2003
>>>>>server, I can
>>>>>set windows & linux home in ONE home-volume.
>>>>>Any hints, tips, donots?
>>>>With pgina, you won't even need a PDC/ADS.
>>>>At our university we have a one-home, one-account strategy for Unix
>>>>(linux, solaris, etc) and Windows (NT..2003).
>>pgina looks nice. But I don't know if it fully replace a windows server. I think
>>i need some testing.
>>Anyone here has any experience with pgina in production? E.G. how it works
>>together with .NET studio and WinXP and OfficeXP...
> If you do have an Active Directory domain in which the workstations are
> members, you can implement a cross-realm trust between the Kerberos
> realm and the AD domain.   You can then map user principals in the
> Kerberos realm to user accounts in the AD.   Logins to the workstations
> can then be performed with the Kerberos principal.
> By installing the OpenAFS for Windows clients on the workstations, each
> workstation will be able to contact AFS via the UNC path
> 	\\AFS\cellname\path
> As part of the user profile you can assign the home directory to point
> to the user's AFS home volume via a UNC path.   In addition, you should
> specific via Group Policy redirected folder paths to ensure that the
> My Documents, Application Data, and other special folders are not copied
> to the local disk with the rest of the user profile.
> Jeffrey Altman

This was Re: [OpenAFS] new infrastructure-afs home and backup questions 
but so not to confuse that thread I'm starting anew.

We've successfully implemented a cross-realm trust between a Kerberos 
realm and single AD domain.  After principal mapping, users are able to 
login with their Kerberos principle at AD domain member workstations.

The next thing we need to test and get working is the integration of a 
Kerberos realm into a multimaster AD domain model.  Here's our current 
AD model:

enterprise AD domain .......  TOP
                                |            \
                                |             D
                                |            /
                               / \      |
                              /   \     |
                             /     \    |
user AD domains .........   A      B   |
resource AD domain .................   C

external Kerberos realm ( domain D floating up there )

This gives us:

Active directory domains

Kerberos realm

Our AFS cell

Our TOP domain contains no users (only domain admin & related). This is 
the root of our AD and provides DNS, etc. to subdomains.

Domain A & B contain user accounts and some workstation accounts.

Domain C is resource domain and primarily for lab computer accounts and 
servers providing services to both students and faculty.  There are no 
user accounts here either.  Users from domain A and B need to have their 
identities mapped in such a way so they can sit at lab workstation whos 
computer account is in domain C but their user account is in either 
domain A or domain B.  We're fortunate to have user uniques user 
accounts across user domains.

Now for my question -

What trust relationships and user identity mappings are needed to have 
to have users from domains A & B login to workstations/servers with 
computer accounts in domain C using their Kerberos realm identity?

sweating ...