[OpenAFS] Active Directory 2003, kerberos 5, openAFS - rxkad
John W. Sopko Jr.
Fri, 05 Jan 2007 12:16:11 -0500
Yes I will try your instructions, I am not in control
of our Windows servers and they are running W2K. I do
have access to a test W2003 AD server.
> * Use a working (non-2003 SP1) version of ktpass to export the key
> The 2003 SP1 Support Tools version is 5.2.3790.1830. Do not use it.
So use the original ktpass? Is there a way to verify the
working version? Thanks for all your help.
While we are on the subject. If we decide to have our
L/Unix infrustrucure, including afs, authenticate to
Windows AD; how comfortable do you feel that one day
a Microsoft patch might break things? Our Windows group
say they cannot guarantee this will not happen. I know
this is a big question...
Jeffrey Altman wrote:
> John W. Sopko Jr. wrote:
>> I should have been more clear. I am only running a TEST
>> krb5 1.4.4 server under linux. I am still running kaserver.
>> Like lots of folks looking to migrate to K5, have been for
> oh, much relief felt by all :-)
>> I would prefer to keep the dns/realm/afs.cell names all the same.
>> The only way to do this is to run one kerberos 5 server. The
>> linux krb5_pam module seems to work fine for authenticating
>> to k5 and getting afs tokens. Aklog works great also. Have tested
>> linux krb5_pam and apache authentication to Windows AD.
>> We run 3 active directory servers, currently Windows 2000
>> to be upgraded to 2003 very soon. We have a Windows group that
>> manages these machines.
>> I am trying to piece things together like Eric.
>> What we need is clear steps on how to create the Windows
>> AD afs/cell.name user and the proper way to export the
>> afs/cell.name key. Would be nice to have this for both
>> W2K and W2003. The linux "asetkey" man page is real clear
>> on how to do this in linux, (thanks Russ).
> The instructions I provided should work for you. If they don't,
>> I plan on trying to attend the AFS & Kerberos
>> Best Practices Workshop 2007. I am sure over the next few
>> months things will get more clear on this.
> There is a talk from last years workshop by Derrick on this
> very topic.
> Jeffrey Altman
John W. Sopko Jr. University of North Carolina
email: sopko AT cs.unc.edu Computer Science Dept., CB 3175
Phone: 919-962-1844 Sitterson Hall; Room 044
Fax: 919-962-1799 Chapel Hill, NC 27599-3175