[OpenAFS] Setting up a new Win 2008r2 AD as krb5 server for OpenAFS

Lars Schimmer l.schimmer@cgv.tugraz.at
Tue, 26 Oct 2010 17:04:12 +0200


On 26.10.2010 14:51, Jeffrey Altman wrote:
> On 10/26/2010 6:48 AM, Lars Schimmer wrote:
>> Hi!
>>
>> Due to some problems while migrating from 2003 to 2008 I need to redo =
my
>> complete AD.
>> Biggest problem beside the work to setup all users is:
>> creating new afs credential and set it up in the OpenAFS Fileservers.
>>
>> Is there any guide/step-by-step available now?
>> I once did it and did not documented it well :-(
>=20
> Unless someone like yourself wrote one and placed it in the wiki or
> updated the admin guide, the answer would be 'no'.

Looks like we are one out of 10 running this setup worldwide. I try to
document my steps well and put it up later on.

>> So far I know:
>=20
> 0. Enable support for single DES in AD
>=20
>> 1. create user afs in AD, user cannot change pass, passwd never expire=
s
>> 2. setspn afs afs/cgv.tugraz.at
>> 3. ktpass -out NAME.out.txt -princ afs@CGV.TUGRAZ.AT \
>>        -crypto DES-CBC-CRC +rndPass -DesOnly /ptype KRB5_NT_SRV_HST
>=20
> Use MIT kvno tool to request a service ticket for
> afs/cgv.tugraz.at@CGV.TUGRAZ.AT.   That will report the kvno.
> Or you can examine the user account object in AD.
>=20
>> 4. on fileservers: asetkey add 3 NAME.out.txt afs/cgv.tugraz.at
>=20
> replace "add 3" with "add <kvno>"
>=20
>> 5. restart fileservers.
>=20
> restart not required.  touch the server CellServDB file.
>=20

Thank you. Those were the information I needed. Will try and report back.


MfG,
Lars Schimmer
--=20
-------------------------------------------------------------
TU Graz, Institut f=C3=BCr ComputerGraphik & WissensVisualisierung
Tel: +43 316 873-5405       E-Mail: l.schimmer@cgv.tugraz.at
Fax: +43 316 873-5402       PGP-Key-ID: 0x4A9B1723