[OpenAFS] Need to setup Kerberos Environment

Jeffrey Altman jaltman@secure-endpoints.com
Fri, 09 Dec 2011 14:20:15 -0500

This is an OpenPGP/MIME signed message (RFC 2440 and 3156)
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

On 12/9/2011 2:03 PM, Valentine, Nick wrote:
> I can't use just active directory, because student ID's for AFS are cre=
ated off a separate LDAP system, as well as not using that system for aut=
> I need to be able to test a trust relationship off of one Kerberos syst=
em running on Solaris to a Windows domain.
> At present, do not have a single sign on system. We are using OpeanAFS =
1.6 As such, I have to learn to "coexist" by creating an intermediate tes=
t environment to explore the possibilities of using a trust relationship =
so students can use the 1.7 client and just sign on once.
> I don't know why we have three authentication systems, but my job is no=
t to ask why :-)
> Do you have a link to documentation that could clarify this sort of Ope=
nAFS Server configuration?

Setting up an authentication infrastructure using Kerberos v5 is not an
OpenAFS question.  The OpenAFS piece is strictly the creation of the
afs/<cell>@<REALM> service principal entry within the realm(s) that are
to be treated local authentication services for the AFS cell.  Those
realms must be listed in the OpenAFS krb.conf file.


The role of the Kerberos KDC to OpenAFS is documented in the OpenAFS
Administrator's guide.


How to use Integrated Logon on a Windows system is documented in the
OpenAFS Windows Release Notes:


How to setup cross-realm is a subject for your Kerberos and Active
Directory documentation.

When the 2008 AFS and Kerberos Workshop took place at NJIT the plan at
the time was to convert NJIT's AFS deployment from using kaserver to a
Kerberos v5 realm.  Based on your questions I am guessing that project
was never completed.

Jeffrey Altman

Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

Version: GnuPG v1.4.9 (MingW32)