[OpenAFS] New Structure - help/advice wanted

Jan Johansson janj+openafs@wenf.org
Wed, 21 Sep 2005 16:45:05 +0200

Lars Schimmer <l.schimmer@cgv.tugraz.at> wrote:
> I've got a subnet with about 40 PCs, some Windows, some Linux.
> The Windows Clients should resist in a AD/Domain under win2003
> server.  All clients should use kerberos5 and should obtain
> tickets/tokens automatic, as home should resist in OpenAFS
> space.  I learned I need two kerberos5 realms, one MIT and one
> on the AD, right?

I am not certain about this but you might get by with only the
Windows AD kerberos.
> What is the best way to set this up?
> Use the AFS Cell name as AD realm?
> Use the AFS Cell name as MIT realm?
> Any other hint?

To my knowledge the most common is.

AFS Cell: example.com
Kerberos realm: EXAMPLE.COM
Active Directory: ad.example.com
Active Directory realm: AD.EXAMPLE.COM

Make the Active Directory trust the Kerberos realm with a one way

Setup your clients to login to the Kerberos REALM (EXAMPLE.COM)
using 'ksetup /addkdc EXAMPLE.COM", it is not needed to specify
the kdc if you setup DNS correctly.

For the user 'foobar' to work an entry needs to be added to the
Kerberos Realm (foobar@EXAMPLE.COM), the user needs to be in the
AFS pts database and exist in Active Directory. 

In the Active Directory MMC application you choose View -> Advanced
options and then you should find a "Name mapping" where you can
connect the 'foobar' user in Active Directory with the Kerberos
user 'foobar@EXAMPLE.COM'.