[OpenAFS] Question Win AD domain, krb5 REALM
Christopher D. Clausen
Sat, 12 May 2007 12:56:47 -0500
Lars Schimmer <email@example.com> wrote:
> Jeffrey Altman wrote:
>> Lars Schimmer wrote:
>>> I´ve got some questions about Win LogOn and obtaining tokens/tickets
>>> while logon.
>>> Our setup: 1 windows AD server (CGV is the domain name)
>>> 1 linux MIT krb5 server (REALM: CGV.TUGRAZ.AT)
>>> OpenAFS Cell cgv.tugraz.at
>> Rename one of your realms. Or add afs/cgv.tugraz.at service tickets
>> to both realms with different kvnos and insert both keys in the AFS
> Ok, not really easy but doable (just 20 PC and about 40 ppl here).
> But what is the best way do go on from here?
> OpenAFS cell is up and running with users.
> Windows AD is up and running with about 20 PCs/users.
> Given: a subnet .128/25 routeable.
> And the cell with the server is out in CellServDB (yeah, I won´t
> change my OpenAFS cell).
I would suggest just using the AD as the only Kerberos realm. Why do
you even have the other Kerberos 5 realm?
> Wanted: a nice, "easy" krb5 setup, using the Win AD for users to
> logon, OpenAFS as win profile dataspace and obtaining ticket/token at
It is pretty easy now. Use ktpass.exe on Windows to extract the
principal for the AFS service and then use asetkey on your AFS server to
import that into the AFS KeyFile with the same kvno.
> Is it no problem, to rename the AD to another name different from the
> DNS server entry? (cgv.tugraz.at is our resolve).
> I´m not really familar with AD and all its assumptions...
I believe that it is possible to rename AD to a different name.
> Is using the AD server as krb5 auth server the better way?
I would think that would be easier than renaming AD and trying to use
> If I rename the AD, I need to do cross auth setup between MIT and win
> AD, right?
No, you do not NEED cross-realm. You can just add afs principal to each
realm. Or better yet, just pick a single realm and use it and get rid
of the other one. It would probably be best to keep the AD realm for
the management features on Windows.