[OpenAFS] mutimaster AD model and cross-realm

knape@njit.edu knape@njit.edu
Wed, 11 May 2005 20:50:13 -0400 (EDT) 

Quoting Jeffrey Altman <jaltman@columbia.edu>:

> Dean Knape wrote:
> 
> > This was Re: [OpenAFS] new infrastructure-afs home and backup
> questions
> > but so not to confuse that thread I'm starting anew.
> 
> By replying to the previous thread, you are still in the previous
> thread.  Changing the name of the subject does not alter what message
> thread you are in.
> 

Silly me!

> > We've successfully implemented a cross-realm trust between a
> Kerberos
> > realm and single AD domain.  After principal mapping, users are able
> to
> > login with their Kerberos principle at AD domain member
> workstations.
> > 
> > The next thing we need to test and get working is the integration of
> a
> > Kerberos realm into a multimaster AD domain model.  Here's our
> current
> > AD model:
> > 
> > enterprise AD domain .......  TOP
> >                                |            \
> >                                |             D
> >                                |            /
> >                                |--------
> >                               / \      |
> >                              /   \     |
> >                             /     \    |
> > user AD domains .........   A      B   |
> >                                        |
> >                                        |
> >                                        |
> > resource AD domain .................   C
> > 
> > 
> > external Kerberos realm ( domain D floating up there )
> > 
> > 
> > This gives us:
> > 
> > Active directory domains
> > ------------------------
> > TOP.njit.edu
> > A.TOP.njit.edu
> > B.TOP.njit.edu
> > C.TOP.njit.edu
> > 
> > Kerberos realm
> > --------------
> > D.njit.edu
> > 
> > Our AFS cell
> > ------------
> > D.njit.edu
> > 
> > Our TOP domain contains no users (only domain admin & related). This
> is
> > the root of our AD and provides DNS, etc. to subdomains.
> > 
> > Domain A & B contain user accounts and some workstation accounts.
> > 
> > Domain C is resource domain and primarily for lab computer accounts
> and
> > servers providing services to both students and faculty.  There are
> no
> > user accounts here either.  Users from domain A and B need to have
> their
> > identities mapped in such a way so they can sit at lab workstation
> whos
> > computer account is in domain C but their user account is in either
> > domain A or domain B.  We're fortunate to have user uniques user
> > accounts across user domains.
> 
> If you are going to be mapping Kerberos principals from D to accounts
> in the forest, the user accounts should exist in TOP not A and not B.
> You are centrally controlling the name space at D, therefore you
> should
> not be giving the ability to create user accounts mapped to that name
> space to individual departments via the use of sub-domains.
>

Thank you.  This confirms my understanding of the problem and is exactly hoping 
not to hear.   
 
> > Now for my question -
> > 
> > What trust relationships and user identity mappings are needed to
> have
> > to have users from domains A & B login to workstations/servers with
> > computer accounts in domain C using their Kerberos realm identity?
> > 
> > sweating ...
> 
> The sub-domains should have knowledge of the existence of realm D
> but do not have to have trusts with it.   The trust relationship is
> between D and TOP.
> 
> Note: By using a multi-domain forest you will be making it impossible
> (due to a Microsoft bug) for you to provide roaming profiles mapped
> to AFS.
> 
> Jeffrey Altman
>