[OpenAFS] Documentation or howto for Active Directory as KDC

Douglas E. Engert deengert@anl.gov
Thu, 06 Nov 2008 11:06:40 -0600


Silvia Roedelsperger wrote:
> Hi,
> 
> i've got a question.
> 
> Does anyone know a documentation or a howto on using Active Directory 
> (Windows 2008 Server) as the KDC in an OpenAFS installation?

John Spoko Jr wrote this up:
http://www.openafs.org/pipermail/openafs-info/2007-January/025039.html

The case 1 looks good.

You may also want the AD admin to set the userAccountControl flag
0x2000000 in the afs account so the MS PAC will be not be sent in the ticket.
The PAC can be large 12K, and since AFS does not use it, it can reduce
the size of tickets/tokens from 13K to about 400 bytes.
See:
  http://support.microsoft.com/kb/832572

> 
> Our test environment for the OpenAFS server ist running on a Debian Etch 
> machine.
> 
> I just found this old thread from 2004:
> http://www.openafs.org/pipermail/openafs-info/2004-June/013771.html
> 
> Unfortunately, this thread doesn't helped me very much.
> 
> To have two Kerberos-servers (on the one hand the Windows 2008 Server, 
> on the other Hand a MIT-Kerberos Server at the Debian machine) with the 
> same user-accounts doesn't make very much sense to me.

Same realm names? Or not?

> 
> Thanks in advance! :-)
> 
> Greetings, Silvia
> _______________________________________________
> OpenAFS-info mailing list
> OpenAFS-info@openafs.org
> https://lists.openafs.org/mailman/listinfo/openafs-info
> 
> 

-- 

  Douglas E. Engert  <DEEngert@anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444