[OpenAFS] Switching from MIT to win 2003 krb5 server

Lars Schimmer l.schimmer@cgv.tugraz.at
Wed, 06 Jun 2007 22:46:48 +0200

Hash: SHA1

Douglas E. Engert wrote:
> Lars Schimmer wrote:
> Hi!
> Now I=B4m on my way to switch from MIT krb5 server to Win 2003 AD krb5
> server to use only ONE auth in my cell :-)
> In that way I=B4ve got some questions.
>> Start with OpenAFS 1.5.20 release notes section 3.1.1
>> http://www.openafs.org/release/openafs-1.5.20.html

Damned. I=B4ve read that so many times in all the years, but never had th=
AD krb5 in mind, so I forget the easiest part of doc retrievement.

> 1. is it possible, to use both server and use both to obtain
> tickets/tokens in the time of changing?
>> Yes. Some questions:
>>   Are the user names in sync between the two realms.

Sure, users log in to AD domain and got ticket/token from MIT krb5.

>>   Are the realm names the same? Does either match the cell name?

Both are the same and working so far, they match the cell name and the DN=

>>   Are you using aklog with krb524d currently?

No, pure aklog and krb5. No krb4 involved til yet.

> Is there a problem with kvno? Or just set the Win Key one number higher
> than MIT key?
>> The AFS KeyFile has only kvnos and keys, it does not know with what re=
>> the keys are associated, so you can have a kvno/key from the MIT serve=
>> and a different kvno/key from the AD. Just as long as the kvno's don't
>> match.

Thought so, but wanted to be sure.

> 2. creating user in AD is clear to me, do I need to map them via the
> setspn version?
>> Just add users like any AD user.

Fine :-)

> 3. How to create host-entries? Just add a "Computer" to the AD?
> Some special Options to take care of?
>> Thats not an AFS question.  We use msktutil, it uses LDAP to add host
>> accounts in AD, and updates the Krb5 keytabs. (Google for msktutil)
>> Takes care of adding accounts, and setting all the AD options
>> for Kerberos service principals. including the afs/cellname@realm
>> principal.

Ok, I=B4ll have a look tomorrow.

> 4. I created a afs user in the AD as a normal user with the login afs,
> set user cannot change passwd, passwd never expires.
> Afterward I setspn afs/cgv.tugraz.at to afs.
> Was this correct? Any other options to check?
>> Des only, and maybe the NO PAC option see:
>> http://support.microsoft.com/kb/832572/

Need to check, to.

> 5. I installed the Win 2003 SP2 and tools for SP2, so no need to worry
> about ktpass?
>> Not if you use msktutil. There are some issues with what the "salt"
>> when ktpass  creats des keys from a password for service principals.

That seems to be a fine tool. Good to know.

> 6. After ktpass export the afs key and import it into afs servers, I ca=
> change the clients to auth against Win 2003 AD. Is it enough just to
> change the IP in the krb5.conf file?
>> See questions on what are the realm names above. Sounds like you are
>> using the
>> same realm names for AD and the krb5.

Yeah, til yet it worked more or less fine :-)


Lars Schimmer
- --
- -------------------------------------------------------------
TU Graz, Institut f=FCr ComputerGraphik & WissensVisualisierung
Tel: +43 316 873-5405       E-Mail: l.schimmer@cgv.tugraz.at
Fax: +43 316 873-5402       PGP-Key-ID: 0x4A9B1723
Version: GnuPG v1.4.7 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org