[OpenAFS] Help wanted: ADS and MIT Kerberos auth for openafs

Eric Chris Garrison ecgarris@iupui.edu
Wed, 24 Jun 2009 11:25:03 -0400


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hello,

My site is being converted from MIT Kerberos to MS Active Directory (ADS)
for kerberos authentication.  It looks to me like we should be able to set
up AFS to accept tickets from either realm somehow.

I've added an afs service principal from each of two realms to the KeyFile
using asetkey.   I've added both realms in /etc/krb.conf, the first two
lines of the file being the two realms.

I think I'm missing a step, though, as it doesn't map the principals from
the ADS realm to AFS users the way our existing realm does.

Any advice, especially a pointer to non-obsolete documentation on the
subject would be very much appreciated!

Thank you,

Chris
- --
Eric Chris Garrison             | Principal Mass Storage Specialist
ecgarris@iupui.edu              | Indiana University - Research Storage
W: 317-278-1207 M: 317-250-8649 | Jabber IM: ecgarris@iupui.edu
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFKQkVMG2WsK8XoJWURAlAKAJ0av3eeN9PR51Gqnz+XkgKmRIyGbQCfXv0N
yLN4ch5O/eFe9cxT8C/JvHA=
=WtxC
-----END PGP SIGNATURE-----