[OpenAFS] Switching from MIT to win 2003 krb5 server

Douglas E. Engert deengert@anl.gov
Wed, 06 Jun 2007 11:00:57 -0500

Lars Schimmer wrote:
> Hash: SHA1
> Hi!
> Now I=B4m on my way to switch from MIT krb5 server to Win 2003 AD krb5
> server to use only ONE auth in my cell :-)
> In that way I=B4ve got some questions.

Start with OpenAFS 1.5.20 release notes section 3.1.1

> 1. is it possible, to use both server and use both to obtain
> tickets/tokens in the time of changing?

Yes. Some questions:

   Are the user names in sync between the two realms.

   Are the realm names the same? Does either match the cell name?

   Are you using aklog with krb524d currently?

> Is there a problem with kvno? Or just set the Win Key one number higher
> than MIT key?

The AFS KeyFile has only kvnos and keys, it does not know with what realm
the keys are associated, so you can have a kvno/key from the MIT server
and a different kvno/key from the AD. Just as long as the kvno's don't

> 2. creating user in AD is clear to me, do I need to map them via the
> setspn version?

Just add users like any AD user.

> 3. How to create host-entries? Just add a "Computer" to the AD?
> Some special Options to take care of?

Thats not an AFS question.  We use msktutil, it uses LDAP to add host
accounts in AD, and updates the Krb5 keytabs. (Google for msktutil)
Takes care of adding accounts, and setting all the AD options
for Kerberos service principals. including the afs/cellname@realm

> 4. I created a afs user in the AD as a normal user with the login afs,
> set user cannot change passwd, passwd never expires.
> Afterward I setspn afs/cgv.tugraz.at to afs.
> Was this correct? Any other options to check?

Des only, and maybe the NO PAC option see:

> 5. I installed the Win 2003 SP2 and tools for SP2, so no need to worry
> about ktpass?

Not if you use msktutil. There are some issues with what the "salt"
when ktpass  creats des keys from a password for service principals.

> 6. After ktpass export the afs key and import it into afs servers, I ca=
> change the clients to auth against Win 2003 AD. Is it enough just to
> change the IP in the krb5.conf file?

See questions on what are the realm names above. Sounds like you are usin=
g the
same realm names for AD and the krb5.
> Thanks for the help so far. I just want to be sure that it works the wa=
> I think it should.
> MfG,
> Lars Schimmer
> - --
> - -------------------------------------------------------------
> TU Graz, Institut f=FCr ComputerGraphik & WissensVisualisierung
> Tel: +43 316 873-5405       E-Mail: l.schimmer@cgv.tugraz.at
> Fax: +43 316 873-5402       PGP-Key-ID: 0x4A9B1723
> Version: GnuPG v1.4.6 (GNU/Linux)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
> iD8DBQFGZtCsmWhuE0qbFyMRApoJAJ9/0fd7OAmj07X7LQnW3Pt6V+/DogCfdMA9
> ujOz7snBebs254iO6pgRKUM=3D
> =3DqIcE
> _______________________________________________
> OpenAFS-info mailing list
> OpenAFS-info@openafs.org
> https://lists.openafs.org/mailman/listinfo/openafs-info


  Douglas E. Engert  <DEEngert@anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444