[OpenAFS] Question Win AD domain, krb5 REALM

Christopher D. Clausen cclausen@acm.org
Sat, 12 May 2007 12:56:47 -0500


Lars Schimmer <l.schimmer@cgv.tugraz.at> wrote:
> Jeffrey Altman wrote:
>> Lars Schimmer wrote:
>>> Hi!
>>>
>>> I´ve got some questions about Win LogOn and obtaining tokens/tickets
>>> while logon.
>>>
>>> Our setup: 1 windows AD server (CGV is the domain name)
>>> 1 linux MIT krb5 server (REALM: CGV.TUGRAZ.AT)
>>> OpenAFS Cell cgv.tugraz.at
>>
>> Rename one of your realms.  Or add afs/cgv.tugraz.at service tickets
>> to both realms with different kvnos and insert both keys in the AFS
>> keyfile.
>
> Ok, not really easy but doable (just 20 PC and about 40 ppl here).
> But what is the best way do go on from here?
> OpenAFS cell is up and running with users.
> Windows AD is up and running with about 20 PCs/users.
> Given: a subnet .128/25 routeable.
> And the cell with the server is out in CellServDB (yeah, I won´t
> change my OpenAFS cell).

I would suggest just using the AD as the only Kerberos realm.  Why do 
you even have the other Kerberos 5 realm?

> Wanted: a nice, "easy" krb5 setup, using the Win AD for users to
> logon, OpenAFS as win profile dataspace and obtaining ticket/token at
> logon.

It is pretty easy now.  Use ktpass.exe on Windows to extract the 
principal for the AFS service and then use asetkey on your AFS server to 
import that into the AFS KeyFile with the same kvno.

> Is it no problem, to rename the AD to another name different from the
> DNS server entry? (cgv.tugraz.at is our resolve).
> I´m not really familar with AD and all its assumptions...

I believe that it is possible to rename AD to a different name.

> Is using the AD server as krb5 auth server the better way?

I would think that would be easier than renaming AD and trying to use 
two realms.

> If I rename the AD, I need to do cross auth setup between MIT and win
> AD, right?

No, you do not NEED cross-realm.  You can just add afs principal to each 
realm.  Or better yet, just pick a single realm and use it and get rid 
of the other one.  It would probably be best to keep the AD realm for 
the management features on Windows.

<<CDC