[OpenAFS] Switching from MIT to win 2003 krb5 server

Douglas E. Engert deengert@anl.gov
Wed, 06 Jun 2007 16:10:16 -0500

Lars Schimmer wrote:
> Hash: SHA1
> Douglas E. Engert wrote:
>> Lars Schimmer wrote:
>> Hi!
>> Now I=B4m on my way to switch from MIT krb5 server to Win 2003 AD krb5
>> server to use only ONE auth in my cell :-)
>> In that way I=B4ve got some questions.
>>> Start with OpenAFS 1.5.20 release notes section 3.1.1
>>> http://www.openafs.org/release/openafs-1.5.20.html
> Damned. I=B4ve read that so many times in all the years, but never had =
> AD krb5 in mind, so I forget the easiest part of doc retrievement.
>> 1. is it possible, to use both server and use both to obtain
>> tickets/tokens in the time of changing?
>>> Yes. Some questions:
>>>   Are the user names in sync between the two realms.
> Sure, users log in to AD domain and got ticket/token from MIT krb5.

So you keep them seperate by Windows clients using DNS SRV records to
find its KDCs, and Kerberos clients using the krb5.conf to find
its KDCs.  (This sounds like some other site I know of.)
It also means that you can not use the KfW or the Network Identity Manage=
to import tickets from a Windows login.

>>>   Are the realm names the same? Does either match the cell name?
> Both are the same and working so far, they match the cell name and the =
>>>   Are you using aklog with krb524d currently?
> No, pure aklog and krb5. No krb4 involved til yet.
>> Is there a problem with kvno? Or just set the Win Key one number highe=
>> than MIT key?
>>> The AFS KeyFile has only kvnos and keys, it does not know with what r=
>>> the keys are associated, so you can have a kvno/key from the MIT serv=
>>> and a different kvno/key from the AD. Just as long as the kvno's don'=
>>> match.
> Thought so, but wanted to be sure.
>> 2. creating user in AD is clear to me, do I need to map them via the
>> setspn version?
>>> Just add users like any AD user.
> Fine :-)
>> 3. How to create host-entries? Just add a "Computer" to the AD?
>> Some special Options to take care of?
>>> Thats not an AFS question.  We use msktutil, it uses LDAP to add host
>>> accounts in AD, and updates the Krb5 keytabs. (Google for msktutil)
>>> Takes care of adding accounts, and setting all the AD options
>>> for Kerberos service principals. including the afs/cellname@realm
>>> principal.
> Ok, I=B4ll have a look tomorrow.
>> 4. I created a afs user in the AD as a normal user with the login afs,
>> set user cannot change passwd, passwd never expires.
>> Afterward I setspn afs/cgv.tugraz.at to afs.
>> Was this correct? Any other options to check?
>>> Des only, and maybe the NO PAC option see:
>>> http://support.microsoft.com/kb/832572/
> Need to check, to.
>> 5. I installed the Win 2003 SP2 and tools for SP2, so no need to worry
>> about ktpass?
>>> Not if you use msktutil. There are some issues with what the "salt"
>>> when ktpass  creats des keys from a password for service principals.
> That seems to be a fine tool. Good to know.
>> 6. After ktpass export the afs key and import it into afs servers, I c=
>> change the clients to auth against Win 2003 AD. Is it enough just to
>> change the IP in the krb5.conf file?

IP? or the name of the KDC. You can also remove the kdc=3D lines
and use the DNS SRV records AD should already have in place:

set type=3DANY

>>> See questions on what are the realm names above. Sounds like you are
>>> using the
>>> same realm names for AD and the krb5.
> Yeah, til yet it worked more or less fine :-)
> Thanks.
> MfG,
> Lars Schimmer
> - --
> - -------------------------------------------------------------
> TU Graz, Institut f=FCr ComputerGraphik & WissensVisualisierung
> Tel: +43 316 873-5405       E-Mail: l.schimmer@cgv.tugraz.at
> Fax: +43 316 873-5402       PGP-Key-ID: 0x4A9B1723
> Version: GnuPG v1.4.7 (MingW32)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
> iD8DBQFGZx04mWhuE0qbFyMRAvoRAJ9+uw3N8ucQgs2q7UZrHaKU8a8qzwCdFpbd
> =3D3YEY
> _______________________________________________
> OpenAFS-info mailing list
> OpenAFS-info@openafs.org
> https://lists.openafs.org/mailman/listinfo/openafs-info


  Douglas E. Engert  <DEEngert@anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444