[OpenAFS] OpenAFS + Active Directory documentation

[Christopher D. Clausen]

Josh Fiske <jfiske@clarkson.edu> wrote:
> I've been doing alot of research recently...  We have an old (circa
> 2003) AFS cell and are looking at replacing those aging servers.  For
> our new implementation, I hope to (read as:  "have received an edict
> that we must...") be able to use Active Directory as the
> authentication source.  Initially, I began the new server
> installation following the Quick Start guide[1], but it still uses
> kaserver (krb4)...so that was right out.
>
> Can anyone point me towards some detailed documentation on the
> subject?  If no documentation exists, might someone be able to help
> step me through the process?  If the latter, I would be happy to
> create detailed (step-by-step) documentation of the setup to share
> with the community (perhaps as an update to the Quick Start
> guide[1]).

Please ask questions in the #openafs IRC channel on freenode.

Basically, you use ktpass.exe to create an afs/cellname@AD.DOMAIN (after 
marking the user account DES only within AD) service principal for use 
by AFS and then import this keytab into the AFS KeyFile using asetkey.

Note that this only uses AD for authentication.  You still need to add 
users to PTS for authorization to AFS.

You can try and look at:
https://w3.physics.uiuc.edu/physwiki/doku.php?id=pcs:unix:afs

Note that I did not write that, but I do use AD.UIUC.EDU for several AFS 
cells.  I also would not have used ktutil when asetkey works just fine.

<<CDC