[OpenAFS] Documentation or howto for Active Directory as KDC

Rainer Laatsch Laatsch@uni-koeln.de
Thu, 6 Nov 2008 18:09:50 +0100 (CET)


If the 'cell' name equals the 'REALM' name modulo lower/upper case,
the 'gssklog' of D.Engert (@ANL) would do the trick. If not,
try this:
  the user should get a refreshable ticket (our AD does that)
  send the ticket to an AFS Server
     there: try to refresh the ticket with kinit -R
       (the AD KDC would do that only if valid and within time)
     if OK: read the tickets realm with 'klist ... | grep ' krbtgt/'
     if that realm is in your trust list:
     forcibly create an AFS token
      (you cannot open the ticket and compute something from its contents)
      [Inspecting gssklog will show you the way]
     send the AFS credential to the user
   stuff it into the kernel [like gssklog]

This way your users may have tickets from different realms, whom you
give tokens for your cell.
Only some perl and gssklog (+ possibly some code adaption) is required,
have a look at
  /afs/rrz.uni-koeln.de/wsadmin/contrib/K5Gettoken.
My Readme for ticket passing with ssh-key login is:

  /afs/rrz.uni-koeln.de/wsadmin/contrib/  \
      README.ssh+credential-passing+AFS-token

Something similar we use to prolong tokens for AFS users running long term
jobs in our SGE batch system. That code stems from R. Tobbicke (@CERN).
We got it via W. Friebel (@DESY/Zeuthen). There i just replaced 'arc'
by 'ssh'.

No more hassle with cross realm authentication any more.

Best Regards / Mit freundlichem Gruss
Rainer Laatsch

-----------------------------------------------------------------------------

On Thu, 6 Nov 2008, Silvia Roedelsperger wrote:

> Hi,
>
> i've got a question.
>
> Does anyone know a documentation or a howto on using Active Directory 
> (Windows 2008 Server) as the KDC in an OpenAFS installation?
>
> Our test environment for the OpenAFS server ist running on a Debian Etch 
> machine.
>
> I just found this old thread from 2004:
> http://www.openafs.org/pipermail/openafs-info/2004-June/013771.html
>
> Unfortunately, this thread doesn't helped me very much.
>
> To have two Kerberos-servers (on the one hand the Windows 2008 Server, on the 
> other Hand a MIT-Kerberos Server at the Debian machine) with the same 
> user-accounts doesn't make very much sense to me.
>
> Thanks in advance! :-)
>
> Greetings, Silvia
> _______________________________________________
> OpenAFS-info mailing list
> OpenAFS-info@openafs.org
> https://lists.openafs.org/mailman/listinfo/openafs-info
>