[OpenAFS] Setting up a new Win 2008r2 AD as krb5 server for OpenAFS
Douglas E. Engert
Tue, 26 Oct 2010 09:08:20 -0500
On 10/26/2010 7:51 AM, Jeffrey Altman wrote:
> On 10/26/2010 6:48 AM, Lars Schimmer wrote:
>> Due to some problems while migrating from 2003 to 2008 I need to redo my
>> complete AD.
>> Biggest problem beside the work to setup all users is:
>> creating new afs credential and set it up in the OpenAFS Fileservers.
>> Is there any guide/step-by-step available now?
>> I once did it and did not documented it well :-(
> Unless someone like yourself wrote one and placed it in the wiki or
> updated the admin guide, the answer would be 'no'.
>> So far I know:
> 0. Enable support for single DES in AD
>> 1. create user afs in AD, user cannot change pass, passwd never expires
>> 2. setspn afs afs/cgv.tugraz.at
>> 3. ktpass -out NAME.out.txt -princ afs@CGV.TUGRAZ.AT \
>> -crypto DES-CBC-CRC +rndPass -DesOnly /ptype KRB5_NT_SRV_HST
> Use MIT kvno tool to request a service ticket for
> afs/cgv.tugraz.at@CGV.TUGRAZ.AT. That will report the kvno.
> Or you can examine the user account object in AD.
>> 4. on fileservers: asetkey add 3 NAME.out.txt afs/cgv.tugraz.at
> replace "add 3" with "add<kvno>"
>> 5. restart fileservers.
> restart not required. touch the server CellServDB file.
>> But as ktpass does not set the kvno in AD, how do I get the kvno?
>> And do I miss a point?
In addition to the above its a good idea to make sure you have the
2003 SP1 version of ktpass. http://support.microsoft.com/kb/892777
Also to keep the size of tokens small, consider setting the NO_AUTH DATA_REQUIRED
flag in the userAccountControl for the afs account. This tells AD not
to add a PAC to the service ticket for AFS. A ticket (and token) with a PAC can
be 12K or more, without it less the 1K. Currently AFS does not use the PAC.
>> Lars Schimmer
> OpenAFS-info mailing list
Douglas E. Engert <DEEngert@anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439