[OpenAFS] Switching from MIT to win 2003 krb5 server
Douglas E. Engert
Wed, 06 Jun 2007 11:00:57 -0500
Lars Schimmer wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> Now I=B4m on my way to switch from MIT krb5 server to Win 2003 AD krb5
> server to use only ONE auth in my cell :-)
> In that way I=B4ve got some questions.
Start with OpenAFS 1.5.20 release notes section 3.1.1
> 1. is it possible, to use both server and use both to obtain
> tickets/tokens in the time of changing?
Yes. Some questions:
Are the user names in sync between the two realms.
Are the realm names the same? Does either match the cell name?
Are you using aklog with krb524d currently?
> Is there a problem with kvno? Or just set the Win Key one number higher
> than MIT key?
The AFS KeyFile has only kvnos and keys, it does not know with what realm
the keys are associated, so you can have a kvno/key from the MIT server
and a different kvno/key from the AD. Just as long as the kvno's don't
> 2. creating user in AD is clear to me, do I need to map them via the
> setspn version?
Just add users like any AD user.
> 3. How to create host-entries? Just add a "Computer" to the AD?
> Some special Options to take care of?
Thats not an AFS question. We use msktutil, it uses LDAP to add host
accounts in AD, and updates the Krb5 keytabs. (Google for msktutil)
Takes care of adding accounts, and setting all the AD options
for Kerberos service principals. including the afs/cellname@realm
> 4. I created a afs user in the AD as a normal user with the login afs,
> set user cannot change passwd, passwd never expires.
> Afterward I setspn afs/cgv.tugraz.at to afs.
> Was this correct? Any other options to check?
Des only, and maybe the NO PAC option see:
> 5. I installed the Win 2003 SP2 and tools for SP2, so no need to worry
> about ktpass?
Not if you use msktutil. There are some issues with what the "salt"
when ktpass creats des keys from a password for service principals.
> 6. After ktpass export the afs key and import it into afs servers, I ca=
> change the clients to auth against Win 2003 AD. Is it enough just to
> change the IP in the krb5.conf file?
See questions on what are the realm names above. Sounds like you are usin=
same realm names for AD and the krb5.
> Thanks for the help so far. I just want to be sure that it works the wa=
> I think it should.
> Lars Schimmer
> - --
> - -------------------------------------------------------------
> TU Graz, Institut f=FCr ComputerGraphik & WissensVisualisierung
> Tel: +43 316 873-5405 E-Mail: email@example.com
> Fax: +43 316 873-5402 PGP-Key-ID: 0x4A9B1723
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.6 (GNU/Linux)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
> -----END PGP SIGNATURE-----
> OpenAFS-info mailing list
Douglas E. Engert <DEEngert@anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439