[OpenAFS] Re: how to set up cross cell trust

Christopher D. Clausen cclausen@acm.org
Wed, 2 May 2007 09:03:18 -0500 

Chen, Wen-shiang <chenws47@ku.edu> wrote:
> Thank you for your response.  Let me describe a little bit more about
> the situation here.  Yes, we are concerned of the security issues
> related to kaserver, so we are moving toward using AD for
> authentication.  But we already have deployed AFS for a while, and
> kaserver was used at that time for various reasons.  Finally we got
> our AFS server upgraded to 1.4.2 late last year, and would like to

That OpenAFS version supports Kerberos 5.

> move to AD as the KDC.  But we would like to make the transition
> rather transparent to our AFS users, so my supervisor decided to use
> both kaserver and AD in parallel just for now.  The auth using
> kaserver is going to phase out in the near future.

Well, users will have to start using aklog instead of klog.  Klog will 
no longer work once you get rid of kaserver.  You will also need to 
update any PAM configurations and install Kerberos 5 libraries on all 
machines, in addition to the AFS clients.  If you need klog to work 
there might be a way to get a fakeka program running, but I'm not sure 
if it can be used with Active Directory.

> So the testing cell is NOT for future use.  The sole purpose of
> building it is to test if I can safely set up the cross realm trust
> without losing the current user/password database in the kaserver.
> Once I am confident how to build the cross-realm trust, the testing
> cell will be removed.

Ah, ok.  I do not think you need a cross-realm trust, so don't bother 
attempting to use it right now until you try adding the service 
principal directly.  See below.

>> What are you trying to do?
> To be honest, I am not so sure what is the best strategy of doing this
> either. :p  I guess what I want is the one you suggested in the end of
> the response - treating both kaserver and the AD realms as equal.  I
> do not have the least idea of how to do that either.  I will try to
> join freenode tomorrow and see what I can find there then.

Read through this thread: 
http://www.openafs.org/pipermail/openafs-devel/2006-May/013793.html

You can have a realm trust, but it is not needed.  I'm not sure if that 
setup will work with kaserver, but it is certainly worth a try to add an 
afs service principal to the AD and to the KeyFiles on your AFS servers. 
You'll also need to setup the krb.conf file and restart the servers, but 
it should work.

Support for two Kerberos realms with a single cell is in the 1.4.2 
version that you are running.  (I am using this functionality myself, 
only with two Kerberos 5 realms, one AD and one MIT.)

-----

Please send replies to the list and NOT just me so that others may 
benefit.

<<CDC