[OpenAFS] Active Directory 2003, kerberos 5, openAFS - rxkad error=19270407, arghhhh

Jeffrey Altman jaltman@secure-endpoints.com
Fri, 05 Jan 2007 12:06:01 -0500


John W. Sopko Jr. wrote:
> I should have been more clear. I am only running a TEST
> krb5 1.4.4 server under linux. I am still running kaserver.
> Like lots of folks looking to migrate to K5, have been for
> years.

oh, much relief felt by all  :-)

> I would prefer to keep the dns/realm/afs.cell names all the same.
> The only way to do this is to run one kerberos 5 server. The
> linux krb5_pam module seems to work fine for authenticating
> to k5 and getting afs tokens. Aklog works great also. Have tested
> linux krb5_pam and apache authentication to Windows AD.
> 
> We run 3 active directory servers, currently Windows 2000
> to be upgraded to 2003 very soon. We have a Windows group that
> manages these machines.
> 
> I am trying to piece things together like Eric.
> What we need is clear steps on how to create the Windows
> AD afs/cell.name user and the proper way to export the
> afs/cell.name key. Would be nice to have this for both
> W2K and W2003. The linux "asetkey" man page  is real clear
> on how to do this in linux, (thanks Russ).

The instructions I provided should work for you.  If they don't,
scream.

> I plan on trying to attend the AFS & Kerberos
> Best Practices Workshop 2007. I am sure over the next few
> months things will get more clear on this.

There is a talk from last years workshop by Derrick on this
very topic.

Jeffrey Altman