[OpenAFS] mutimaster AD model and cross-realm
Wed, 11 May 2005 16:03:58 -0400
Jeffrey Altman wrote:
> Lars Schimmer wrote:
>>Chris Huebsch wrote:
>>>>>I want to setup a domain with a win2003 server and clients. Under NT I
>>>>>the windows-homes to a samba drive. If I can do that with win2003
>>>>>server, I can
>>>>>set windows & linux home in ONE home-volume.
>>>>>Any hints, tips, donots?
>>>>With pgina, you won't even need a PDC/ADS.
>>>>At our university we have a one-home, one-account strategy for Unix
>>>>(linux, solaris, etc) and Windows (NT..2003).
>>pgina looks nice. But I don't know if it fully replace a windows server. I think
>>i need some testing.
>>Anyone here has any experience with pgina in production? E.G. how it works
>>together with .NET studio and WinXP and OfficeXP...
> If you do have an Active Directory domain in which the workstations are
> members, you can implement a cross-realm trust between the Kerberos
> realm and the AD domain. You can then map user principals in the
> Kerberos realm to user accounts in the AD. Logins to the workstations
> can then be performed with the Kerberos principal.
> By installing the OpenAFS for Windows clients on the workstations, each
> workstation will be able to contact AFS via the UNC path
> As part of the user profile you can assign the home directory to point
> to the user's AFS home volume via a UNC path. In addition, you should
> specific via Group Policy redirected folder paths to ensure that the
> My Documents, Application Data, and other special folders are not copied
> to the local disk with the rest of the user profile.
> Jeffrey Altman
This was Re: [OpenAFS] new infrastructure-afs home and backup questions
but so not to confuse that thread I'm starting anew.
We've successfully implemented a cross-realm trust between a Kerberos
realm and single AD domain. After principal mapping, users are able to
login with their Kerberos principle at AD domain member workstations.
The next thing we need to test and get working is the integration of a
Kerberos realm into a multimaster AD domain model. Here's our current
enterprise AD domain ....... TOP
/ \ |
/ \ |
/ \ |
user AD domains ......... A B |
resource AD domain ................. C
external Kerberos realm ( domain D floating up there )
This gives us:
Active directory domains
Our AFS cell
Our TOP domain contains no users (only domain admin & related). This is
the root of our AD and provides DNS, etc. to subdomains.
Domain A & B contain user accounts and some workstation accounts.
Domain C is resource domain and primarily for lab computer accounts and
servers providing services to both students and faculty. There are no
user accounts here either. Users from domain A and B need to have their
identities mapped in such a way so they can sit at lab workstation whos
computer account is in domain C but their user account is in either
domain A or domain B. We're fortunate to have user uniques user
accounts across user domains.
Now for my question -
What trust relationships and user identity mappings are needed to have
to have users from domains A & B login to workstations/servers with
computer accounts in domain C using their Kerberos realm identity?