[OpenAFS] Documentation or howto for Active Directory as KDC
Rainer Laatsch
Laatsch@uni-koeln.de
Thu, 6 Nov 2008 18:09:50 +0100 (CET)
If the 'cell' name equals the 'REALM' name modulo lower/upper case,
the 'gssklog' of D.Engert (@ANL) would do the trick. If not,
try this:
the user should get a refreshable ticket (our AD does that)
send the ticket to an AFS Server
there: try to refresh the ticket with kinit -R
(the AD KDC would do that only if valid and within time)
if OK: read the tickets realm with 'klist ... | grep ' krbtgt/'
if that realm is in your trust list:
forcibly create an AFS token
(you cannot open the ticket and compute something from its contents)
[Inspecting gssklog will show you the way]
send the AFS credential to the user
stuff it into the kernel [like gssklog]
This way your users may have tickets from different realms, whom you
give tokens for your cell.
Only some perl and gssklog (+ possibly some code adaption) is required,
have a look at
/afs/rrz.uni-koeln.de/wsadmin/contrib/K5Gettoken.
My Readme for ticket passing with ssh-key login is:
/afs/rrz.uni-koeln.de/wsadmin/contrib/ \
README.ssh+credential-passing+AFS-token
Something similar we use to prolong tokens for AFS users running long term
jobs in our SGE batch system. That code stems from R. Tobbicke (@CERN).
We got it via W. Friebel (@DESY/Zeuthen). There i just replaced 'arc'
by 'ssh'.
No more hassle with cross realm authentication any more.
Best Regards / Mit freundlichem Gruss
Rainer Laatsch
-----------------------------------------------------------------------------
On Thu, 6 Nov 2008, Silvia Roedelsperger wrote:
> Hi,
>
> i've got a question.
>
> Does anyone know a documentation or a howto on using Active Directory
> (Windows 2008 Server) as the KDC in an OpenAFS installation?
>
> Our test environment for the OpenAFS server ist running on a Debian Etch
> machine.
>
> I just found this old thread from 2004:
> http://www.openafs.org/pipermail/openafs-info/2004-June/013771.html
>
> Unfortunately, this thread doesn't helped me very much.
>
> To have two Kerberos-servers (on the one hand the Windows 2008 Server, on the
> other Hand a MIT-Kerberos Server at the Debian machine) with the same
> user-accounts doesn't make very much sense to me.
>
> Thanks in advance! :-)
>
> Greetings, Silvia
> _______________________________________________
> OpenAFS-info mailing list
> OpenAFS-info@openafs.org
> https://lists.openafs.org/mailman/listinfo/openafs-info
>