[OpenAFS] Windows Integration with Kerberos

Franco Milicchio senseiwa@mac.com
Mon, 21 Apr 2008 19:15:27 +0200 

--Apple-Mail-7-710177750
Content-Type: multipart/alternative;
	boundary=Apple-Mail-6-710177416


--Apple-Mail-6-710177416
Content-Type: text/plain;
	charset=WINDOWS-1252;
	format=flowed;
	delsp=yes
Content-Transfer-Encoding: quoted-printable


On Apr 21, 2008, at 6:21pm, Prasun Gupta wrote:

> We would like to use windows client to authenticate with an Kerberos =20=

> Server (KDC), get a windows user=92s roaming profile and then map the =20=

> user=92s afs homespace on the machine.
>
> =46rom What I have read the user Kerberos credentials have to be =20
> mapped to a windows user account, defined locally or in active =20
> directory.
> We would like to not have any windows user account or an active =20
> directory account. The only places account information would be kept =20=

> is in Kerberos and the openafs servers.
>
> Our Goal: Get rid of Active Directory or local windows user accounts.
>
> Has anybody implemented this?
>
> Is it essential to maintain a Windows Active directory Server or =20
> have all the local user accounts defined on the windows clients ?
>
> Thanking in advance for any pointers or suggestions in this regard.


Somewhere you have to map user accounts. You can use samba, AD, or =20
local accounts. There is to my knowledge no real or feasible way of =20
obtaining the same behavior as with pam under unix.

Anyway many of the elders here may help you more than I can do.

Cheers!=

--Apple-Mail-6-710177416
Content-Type: text/html;
	charset=WINDOWS-1252
Content-Transfer-Encoding: quoted-printable

<html><body style=3D"word-wrap: break-word; -webkit-nbsp-mode: space; =
-webkit-line-break: after-white-space; "><br><div><div>On Apr 21, 2008, =
at 6:21pm, Prasun Gupta wrote:</div><br =
class=3D"Apple-interchange-newline"><blockquote type=3D"cite"><span =
class=3D"Apple-style-span" style=3D"border-collapse: separate; color: =
rgb(0, 0, 0); font-family: Helvetica; font-size: 12px; font-style: =
normal; font-variant: normal; font-weight: normal; letter-spacing: =
normal; line-height: normal; orphans: 2; text-align: auto; text-indent: =
0px; text-transform: none; white-space: normal; widows: 2; word-spacing: =
0px; -webkit-border-horizontal-spacing: 0px; =
-webkit-border-vertical-spacing: 0px; =
-webkit-text-decorations-in-effect: none; -webkit-text-size-adjust: =
auto; -webkit-text-stroke-width: 0; "><div lang=3D"EN-US" link=3D"blue" =
vlink=3D"purple"><div class=3D"Section1"><div style=3D"margin-top: 0in; =
margin-right: 0in; margin-left: 0in; margin-bottom: 0.0001pt; font-size: =
12pt; font-family: 'Times New Roman'; "><font size=3D"2" =
face=3D"Arial"><span style=3D"font-size: 10pt; font-family: Arial; ">We =
would like to use windows client to authenticate with an Kerberos Server =
(KDC), get a windows user=92s roaming profile and then map the user=92s =
afs homespace on the machine.<o:p></o:p></span></font></div><div =
style=3D"margin-top: 0in; margin-right: 0in; margin-left: 0in; =
margin-bottom: 0.0001pt; font-size: 12pt; font-family: 'Times New =
Roman'; "><font size=3D"2" face=3D"Arial"><span style=3D"font-size: =
10pt; font-family: Arial; "><o:p>&nbsp;</o:p></span></font></div><div =
style=3D"margin-top: 0in; margin-right: 0in; margin-left: 0in; =
margin-bottom: 0.0001pt; font-size: 12pt; font-family: 'Times New =
Roman'; "><font size=3D"2" face=3D"Arial"><span style=3D"font-size: =
10pt; font-family: Arial; ">=46rom What I have read the user Kerberos =
credentials have to be mapped to a windows user account, defined locally =
or in active directory.<o:p></o:p></span></font></div><div =
style=3D"margin-top: 0in; margin-right: 0in; margin-left: 0in; =
margin-bottom: 0.0001pt; font-size: 12pt; font-family: 'Times New =
Roman'; "><font size=3D"2" face=3D"Arial"><span style=3D"font-size: =
10pt; font-family: Arial; ">We would like to not have any windows user =
account or an active directory account. The only places account =
information would be kept is in Kerberos and the openafs =
servers.<o:p></o:p></span></font></div><div style=3D"margin-top: 0in; =
margin-right: 0in; margin-left: 0in; margin-bottom: 0.0001pt; font-size: =
12pt; font-family: 'Times New Roman'; "><font size=3D"2" =
face=3D"Arial"><span style=3D"font-size: 10pt; font-family: Arial; =
"><o:p>&nbsp;</o:p></span></font></div><div style=3D"margin-top: 0in; =
margin-right: 0in; margin-left: 0in; margin-bottom: 0.0001pt; font-size: =
12pt; font-family: 'Times New Roman'; "><font size=3D"2" =
face=3D"Arial"><span style=3D"font-size: 10pt; font-family: Arial; ">Our =
Goal: Get rid of Active Directory or local windows user =
accounts.<o:p></o:p></span></font></div><div style=3D"margin-top: 0in; =
margin-right: 0in; margin-left: 0in; margin-bottom: 0.0001pt; font-size: =
12pt; font-family: 'Times New Roman'; "><font size=3D"2" =
face=3D"Arial"><span style=3D"font-size: 10pt; font-family: Arial; =
"><o:p>&nbsp;</o:p></span></font></div><div style=3D"margin-top: 0in; =
margin-right: 0in; margin-left: 0in; margin-bottom: 0.0001pt; font-size: =
12pt; font-family: 'Times New Roman'; "><font size=3D"2" =
face=3D"Arial"><span style=3D"font-size: 10pt; font-family: Arial; ">Has =
anybody implemented this?<o:p></o:p></span></font></div><div =
style=3D"margin-top: 0in; margin-right: 0in; margin-left: 0in; =
margin-bottom: 0.0001pt; font-size: 12pt; font-family: 'Times New =
Roman'; "><font size=3D"2" face=3D"Arial"><span style=3D"font-size: =
10pt; font-family: Arial; "><o:p>&nbsp;</o:p></span></font></div><div =
style=3D"margin-top: 0in; margin-right: 0in; margin-left: 0in; =
margin-bottom: 0.0001pt; font-size: 12pt; font-family: 'Times New =
Roman'; "><font size=3D"2" face=3D"Arial"><span style=3D"font-size: =
10pt; font-family: Arial; ">Is it essential to maintain a Windows Active =
directory Server or have all the local user accounts defined on the =
windows clients ?<o:p></o:p></span></font></div><div style=3D"margin-top: =
0in; margin-right: 0in; margin-left: 0in; margin-bottom: 0.0001pt; =
font-size: 12pt; font-family: 'Times New Roman'; "><font size=3D"2" =
face=3D"Arial"><span style=3D"font-size: 10pt; font-family: Arial; =
"><o:p>&nbsp;</o:p></span></font></div><div style=3D"margin-top: 0in; =
margin-right: 0in; margin-left: 0in; margin-bottom: 0.0001pt; font-size: =
12pt; font-family: 'Times New Roman'; "><font size=3D"2" =
face=3D"Arial"><span style=3D"font-size: 10pt; font-family: Arial; =
">Thanking in advance for any pointers or suggestions in this =
regard.</span></font></div></div></div></span></blockquote><br></div><div>=
<br></div><div>Somewhere you have to map user accounts. You can use =
samba, AD, or local accounts. There is to my knowledge no real or =
feasible way of obtaining the same behavior as with pam under =
unix.&nbsp;</div><br><div>Anyway many of the elders here may help you =
more than I can do.</div><div><br></div><div>Cheers!</div></body></html>=

--Apple-Mail-6-710177416--

--Apple-Mail-7-710177750
Content-Disposition: attachment;
	filename=smime.p7s
Content-Type: application/pkcs7-signature;
	name=smime.p7s
Content-Transfer-Encoding: base64

MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIIGITCCAtow
ggJDoAMCAQICEEz+Y9F/rca7N/SKFb18rYowDQYJKoZIhvcNAQEFBQAwYjELMAkGA1UEBhMCWkEx
JTAjBgNVBAoTHFRoYXd0ZSBDb25zdWx0aW5nIChQdHkpIEx0ZC4xLDAqBgNVBAMTI1RoYXd0ZSBQ
ZXJzb25hbCBGcmVlbWFpbCBJc3N1aW5nIENBMB4XDTA4MDIyODA4NTgzMVoXDTA5MDIyNzA4NTgz
MVowQjEfMB0GA1UEAxMWVGhhd3RlIEZyZWVtYWlsIE1lbWJlcjEfMB0GCSqGSIb3DQEJARYQc2Vu
c2Vpd2FAbWFjLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAOd2dYQhwIPSO0ug
dAC57eXKdoev/Rmym5+h4BstfBvUiVd2yIHtFYkXbCdrYBoFhQTYmCUSWpj6/EdsgEoWzC3dwEKu
bOkiixWZAqjdfL0Zf0TSA1NlYxPQHJcfyh3wKq1mzFsngSvaO4kTT0kNjYvgnQ2seyi7kGziYebr
29kmCGVT8OFSSIaoRws61T/A4nutNnoUV/qVXRc4Ll3LCsy+GVMcUggAoDWeLTqKYqc7Zvmt2swM
o2lRcH0IyUX2EVeAcQcWhev+NNrPEfjQszmzn4yZIiaUlVFKBQRAFSt9OOXI/NaN6G07xp4bHV1B
vFUoDGbzL49bHeh3+qhLpyUCAwEAAaMtMCswGwYDVR0RBBQwEoEQc2Vuc2Vpd2FAbWFjLmNvbTAM
BgNVHRMBAf8EAjAAMA0GCSqGSIb3DQEBBQUAA4GBAH39aDyoeAVqe79x1s1HC8GRf8KS6xRVvjhc
ZvUoeevqmYFPBQfuT1bHa6edE5JfrRC6fpvP8ffWWbXqEnk99cSjISOnHHUJl7FQf0RvQTLACJKh
Hr0928Tyap4IKNaxewuyNDicp7CSU9yR2V/FGoQU2v/zx8EyAA0h9ibzWSNAMIIDPzCCAqigAwIB
AgIBDTANBgkqhkiG9w0BAQUFADCB0TELMAkGA1UEBhMCWkExFTATBgNVBAgTDFdlc3Rlcm4gQ2Fw
ZTESMBAGA1UEBxMJQ2FwZSBUb3duMRowGAYDVQQKExFUaGF3dGUgQ29uc3VsdGluZzEoMCYGA1UE
CxMfQ2VydGlmaWNhdGlvbiBTZXJ2aWNlcyBEaXZpc2lvbjEkMCIGA1UEAxMbVGhhd3RlIFBlcnNv
bmFsIEZyZWVtYWlsIENBMSswKQYJKoZIhvcNAQkBFhxwZXJzb25hbC1mcmVlbWFpbEB0aGF3dGUu
Y29tMB4XDTAzMDcxNzAwMDAwMFoXDTEzMDcxNjIzNTk1OVowYjELMAkGA1UEBhMCWkExJTAjBgNV
BAoTHFRoYXd0ZSBDb25zdWx0aW5nIChQdHkpIEx0ZC4xLDAqBgNVBAMTI1RoYXd0ZSBQZXJzb25h
bCBGcmVlbWFpbCBJc3N1aW5nIENBMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDEpjxVc1X7
TrnKmVoeaMB1BHCd3+n/ox7svc31W/Iadr1/DDph8r9RzgHU5VAKMNcCY1osiRVwjt3J8CuFWqo/
cVbLrzwLB+fxH5E2JCoTzyvV84J3PQO+K/67GD4Hv0CAAmTXp6a7n2XRxSpUhQ9IBH+nttE8YQRA
HmQZcmC3+wIDAQABo4GUMIGRMBIGA1UdEwEB/wQIMAYBAf8CAQAwQwYDVR0fBDwwOjA4oDagNIYy
aHR0cDovL2NybC50aGF3dGUuY29tL1RoYXd0ZVBlcnNvbmFsRnJlZW1haWxDQS5jcmwwCwYDVR0P
BAQDAgEGMCkGA1UdEQQiMCCkHjAcMRowGAYDVQQDExFQcml2YXRlTGFiZWwyLTEzODANBgkqhkiG
9w0BAQUFAAOBgQBIjNFQg+oLLswNo2asZw9/r6y+whehQ5aUnX9MIbj4Nh+qLZ82L8D0HFAgk3A8
/a3hYWLD2ToZfoSxmRsAxRoLgnSeJVCUYsfbJ3FXJY3dqZw5jowgT2Vfldr394fWxghOrvbqNOUQ
Gls1TXfjViF4gtwhGTXeJLHTHUb/XV9lTzGCAxAwggMMAgEBMHYwYjELMAkGA1UEBhMCWkExJTAj
BgNVBAoTHFRoYXd0ZSBDb25zdWx0aW5nIChQdHkpIEx0ZC4xLDAqBgNVBAMTI1RoYXd0ZSBQZXJz
b25hbCBGcmVlbWFpbCBJc3N1aW5nIENBAhBM/mPRf63Guzf0ihW9fK2KMAkGBSsOAwIaBQCgggFv
MBgGCSqGSIb3DQEJAzELBgkqhkiG9w0BBwEwHAYJKoZIhvcNAQkFMQ8XDTA4MDQyMTE3MTUyOFow
IwYJKoZIhvcNAQkEMRYEFL8UNZ9kUjEtBVfG11rvHA6K6nv+MIGFBgkrBgEEAYI3EAQxeDB2MGIx
CzAJBgNVBAYTAlpBMSUwIwYDVQQKExxUaGF3dGUgQ29uc3VsdGluZyAoUHR5KSBMdGQuMSwwKgYD
VQQDEyNUaGF3dGUgUGVyc29uYWwgRnJlZW1haWwgSXNzdWluZyBDQQIQTP5j0X+txrs39IoVvXyt
ijCBhwYLKoZIhvcNAQkQAgsxeKB2MGIxCzAJBgNVBAYTAlpBMSUwIwYDVQQKExxUaGF3dGUgQ29u
c3VsdGluZyAoUHR5KSBMdGQuMSwwKgYDVQQDEyNUaGF3dGUgUGVyc29uYWwgRnJlZW1haWwgSXNz
dWluZyBDQQIQTP5j0X+txrs39IoVvXytijANBgkqhkiG9w0BAQEFAASCAQBeYj4obKT5H0xahL0X
jjK9PovKTKCbcI3L5CdXefyVrR79JmOs94YXJh7He524ao6U5uG0jGtyuNyXH3vWSHb7M4aDGgFR
diB274KBYQZR5fPTbs4xwlnpgcE+6vlzKudkGtVzNmkwvQ7moGgVyS+9TorkIUQvwdoj2VJWQrc/
EaD2yNZkxboiZX4VEkaOXKOlzwJe1NxSn1GwQb7T/C0DWzPTH4f8My5p5PyMC756FjkFXfLgzNAi
bcfhRDeOO1BP6yWGba28NAOgkfdQNH4gPYF3ifuIoq1/uqxu+iPUPlthgVmo+ZzxIpi/f2BKDUSM
w6xy7kHlOsb5cEvDPmRbAAAAAAAA

--Apple-Mail-7-710177750--