[OpenAFS] Switching from MIT to win 2003 krb5 server
Lars Schimmer
l.schimmer@cgv.tugraz.at
Wed, 06 Jun 2007 22:46:48 +0200
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Douglas E. Engert wrote:
>=20
>=20
> Lars Schimmer wrote:
> Hi!
>=20
> Now I=B4m on my way to switch from MIT krb5 server to Win 2003 AD krb5
> server to use only ONE auth in my cell :-)
> In that way I=B4ve got some questions.
>=20
>=20
>> Start with OpenAFS 1.5.20 release notes section 3.1.1
>> http://www.openafs.org/release/openafs-1.5.20.html
Damned. I=B4ve read that so many times in all the years, but never had th=
e
AD krb5 in mind, so I forget the easiest part of doc retrievement.
> 1. is it possible, to use both server and use both to obtain
> tickets/tokens in the time of changing?
>=20
>> Yes. Some questions:
>=20
>> Are the user names in sync between the two realms.
Sure, users log in to AD domain and got ticket/token from MIT krb5.
>> Are the realm names the same? Does either match the cell name?
Both are the same and working so far, they match the cell name and the DN=
S.
>> Are you using aklog with krb524d currently?
No, pure aklog and krb5. No krb4 involved til yet.
> Is there a problem with kvno? Or just set the Win Key one number higher
> than MIT key?
>=20
>> The AFS KeyFile has only kvnos and keys, it does not know with what re=
alm
>> the keys are associated, so you can have a kvno/key from the MIT serve=
r
>> and a different kvno/key from the AD. Just as long as the kvno's don't
>> match.
Thought so, but wanted to be sure.
> 2. creating user in AD is clear to me, do I need to map them via the
> setspn version?
>=20
>> Just add users like any AD user.
Fine :-)
> 3. How to create host-entries? Just add a "Computer" to the AD?
> Some special Options to take care of?
>=20
>> Thats not an AFS question. We use msktutil, it uses LDAP to add host
>> accounts in AD, and updates the Krb5 keytabs. (Google for msktutil)
>> Takes care of adding accounts, and setting all the AD options
>> for Kerberos service principals. including the afs/cellname@realm
>> principal.
Ok, I=B4ll have a look tomorrow.
> 4. I created a afs user in the AD as a normal user with the login afs,
> set user cannot change passwd, passwd never expires.
> Afterward I setspn afs/cgv.tugraz.at to afs.
> Was this correct? Any other options to check?
>=20
>> Des only, and maybe the NO PAC option see:
>> http://support.microsoft.com/kb/832572/
Need to check, to.
> 5. I installed the Win 2003 SP2 and tools for SP2, so no need to worry
> about ktpass?
>=20
>> Not if you use msktutil. There are some issues with what the "salt"
>> when ktpass creats des keys from a password for service principals.
That seems to be a fine tool. Good to know.
> 6. After ktpass export the afs key and import it into afs servers, I ca=
n
> change the clients to auth against Win 2003 AD. Is it enough just to
> change the IP in the krb5.conf file?
>=20
>> See questions on what are the realm names above. Sounds like you are
>> using the
>> same realm names for AD and the krb5.
Yeah, til yet it worked more or less fine :-)
Thanks.
MfG,
Lars Schimmer
- --
- -------------------------------------------------------------
TU Graz, Institut f=FCr ComputerGraphik & WissensVisualisierung
Tel: +43 316 873-5405 E-Mail: l.schimmer@cgv.tugraz.at
Fax: +43 316 873-5402 PGP-Key-ID: 0x4A9B1723
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFGZx04mWhuE0qbFyMRAvoRAJ9+uw3N8ucQgs2q7UZrHaKU8a8qzwCdFpbd
mNnELtPHvQBYDYJ1kWlwgOU=3D
=3D3YEY
-----END PGP SIGNATURE-----