[OpenAFS] Kerberos Ticket Sizes when using AD as the KDC and OpenAFS

Douglas E. Engert deengert@anl.gov
Fri, 27 Jan 2006 10:59:17 -0600 

ted creedon wrote:

> 1. Is the AFS service ticket the only thing needed to make an afs token?

Yes.

> 2. I.e. does pts handle all the afs permissions from then on?

Yes, the groups from AD in the PACD are AD specific and used only within
Windows. AFS has is own authz database and sets of groups, which are in the PTS.

> 3. can "kinit admin" now authenticate to  AD instead of a krb5 server?

If you added an admin principal and account to AD. (I would pick another name)
Any principal could be an AFS admin, as long as you set the bits in the PTS,
and update the /usr/afs/etc/UserList on the servers. I believe the kaserver
admin is still required to use the k4 with the kaserver. But then again if you
are using all Krb5 you don't need the kasrver.


> 
> thanks
> 
> tedc
> Douglas E. Engert wrote:
> 
>>
>>
>> ted creedon wrote:
>>
>>> What happens to non service tickets?
>>
>>
>> Not sure what you mean. The user's PAC is added to the initial TGT for 
>> the user
>> then copied to service tickets and cross-realm TGTs and the service 
>> ticket for AFS.
>>
>> The NO_AUTH_REQUIRED bit would only be set on the account for the AFS  
>> server
>> principal in AD, then when a service ticket is created for AFS the AD 
>> KDC will
>> not copy the user's PAC to the AFS service ticket.
>>
>> Tickets for other services will still get a PAC.
>>
>> Since the AFS cache manager has some 12000 byte limits on the size of
>> the ticket, and it does not use the PAC anyway,  telling the KDC to 
>> not send
>> the PAC to AFS means AFS does not have to deal with user is lots of AD 
>> groups.
>>
>>
>>
>>> tedc
>>>
>>> Douglas E. Engert wrote:
>>>
>>>> From the article:
>>>>
>>>> "New resolution for problems that occur when users belong to many 
>>>> groups"
>>>> http://support.microsoft.com/?kbid=327825
>>>>
>>>> It looks like XP and W2003 no longer have a max_token_size limit, 
>>>> and thus
>>>> the size of a ticket could now be above 12,000 bytes.
>>>>
>>>> So for any sites that use Active Directory as the KDC and OpenAFS,
>>>> keep this folloeing option in mind for the afs/cell@realm principal
>>>>
>>>> "An update is available that introduces the NO_AUTH_REQUIRED flag to
>>>> the UserAccountControl property in Windows Server 2003 and in 
>>>> Windows 2000"
>>>> http://support.microsoft.com/kb/832572
>>>>
>>>>
>>> _______________________________________________
>>> OpenAFS-info mailing list
>>> OpenAFS-info@openafs.org
>>> https://lists.openafs.org/mailman/listinfo/openafs-info
>>>
>>>
>>
> 
> 

-- 

  Douglas E. Engert  <DEEngert@anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444