[OpenAFS] Documentation or howto for Active Directory as KDC
Thu, 6 Nov 2008 18:09:50 +0100 (CET)
If the 'cell' name equals the 'REALM' name modulo lower/upper case,
the 'gssklog' of D.Engert (@ANL) would do the trick. If not,
the user should get a refreshable ticket (our AD does that)
send the ticket to an AFS Server
there: try to refresh the ticket with kinit -R
(the AD KDC would do that only if valid and within time)
if OK: read the tickets realm with 'klist ... | grep ' krbtgt/'
if that realm is in your trust list:
forcibly create an AFS token
(you cannot open the ticket and compute something from its contents)
[Inspecting gssklog will show you the way]
send the AFS credential to the user
stuff it into the kernel [like gssklog]
This way your users may have tickets from different realms, whom you
give tokens for your cell.
Only some perl and gssklog (+ possibly some code adaption) is required,
have a look at
My Readme for ticket passing with ssh-key login is:
Something similar we use to prolong tokens for AFS users running long term
jobs in our SGE batch system. That code stems from R. Tobbicke (@CERN).
We got it via W. Friebel (@DESY/Zeuthen). There i just replaced 'arc'
No more hassle with cross realm authentication any more.
Best Regards / Mit freundlichem Gruss
On Thu, 6 Nov 2008, Silvia Roedelsperger wrote:
> i've got a question.
> Does anyone know a documentation or a howto on using Active Directory
> (Windows 2008 Server) as the KDC in an OpenAFS installation?
> Our test environment for the OpenAFS server ist running on a Debian Etch
> I just found this old thread from 2004:
> Unfortunately, this thread doesn't helped me very much.
> To have two Kerberos-servers (on the one hand the Windows 2008 Server, on the
> other Hand a MIT-Kerberos Server at the Debian machine) with the same
> user-accounts doesn't make very much sense to me.
> Thanks in advance! :-)
> Greetings, Silvia
> OpenAFS-info mailing list