[OpenAFS] Setting up a new Win 2008r2 AD as krb5 server for OpenAFS

Douglas E. Engert deengert@anl.gov
Tue, 26 Oct 2010 09:08:20 -0500 

On 10/26/2010 7:51 AM, Jeffrey Altman wrote:
> On 10/26/2010 6:48 AM, Lars Schimmer wrote:
>> Hi!
>>
>> Due to some problems while migrating from 2003 to 2008 I need to redo my
>> complete AD.
>> Biggest problem beside the work to setup all users is:
>> creating new afs credential and set it up in the OpenAFS Fileservers.
>>
>> Is there any guide/step-by-step available now?
>> I once did it and did not documented it well :-(
>
> Unless someone like yourself wrote one and placed it in the wiki or
> updated the admin guide, the answer would be 'no'.
>
>>
>> So far I know:
>
> 0. Enable support for single DES in AD
>
>> 1. create user afs in AD, user cannot change pass, passwd never expires
>> 2. setspn afs afs/cgv.tugraz.at
>> 3. ktpass -out NAME.out.txt -princ afs@CGV.TUGRAZ.AT \
>>         -crypto DES-CBC-CRC +rndPass -DesOnly /ptype KRB5_NT_SRV_HST
>
> Use MIT kvno tool to request a service ticket for
> afs/cgv.tugraz.at@CGV.TUGRAZ.AT.   That will report the kvno.
> Or you can examine the user account object in AD.
>
>> 4. on fileservers: asetkey add 3 NAME.out.txt afs/cgv.tugraz.at
>
> replace "add 3" with "add<kvno>"
>
>> 5. restart fileservers.
>
> restart not required.  touch the server CellServDB file.
>
>> But as ktpass does not set the kvno in AD, how do I get the kvno?
>>
>> And do I miss a point?
>>

In addition to the above its a good idea to make sure you have the
2003 SP1 version of ktpass. http://support.microsoft.com/kb/892777

Also to keep the size of tokens small, consider setting the NO_AUTH DATA_REQUIRED
flag in the userAccountControl for the afs account. This tells AD not
to add a PAC to the service ticket for AFS. A ticket (and token) with a PAC can
be 12K or more, without it less the 1K. Currently AFS does not use the PAC.
http://support.microsoft.com/kb/832572

>>
>> MfG,
>> Lars Schimmer
> _______________________________________________
> OpenAFS-info mailing list
> OpenAFS-info@openafs.org
> https://lists.openafs.org/mailman/listinfo/openafs-info
>
>

-- 

  Douglas E. Engert  <DEEngert@anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444