[OpenAFS] Need to setup Kerberos Environment
Jeffrey Altman
jaltman@secure-endpoints.com
Fri, 09 Dec 2011 14:20:15 -0500
This is an OpenPGP/MIME signed message (RFC 2440 and 3156)
--------------enig3037C1B5D08976D6EDF52A14
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
On 12/9/2011 2:03 PM, Valentine, Nick wrote:
> I can't use just active directory, because student ID's for AFS are cre=
ated off a separate LDAP system, as well as not using that system for aut=
hentication.
>=20
> I need to be able to test a trust relationship off of one Kerberos syst=
em running on Solaris to a Windows domain.
>=20
> At present, do not have a single sign on system. We are using OpeanAFS =
1.6 As such, I have to learn to "coexist" by creating an intermediate tes=
t environment to explore the possibilities of using a trust relationship =
so students can use the 1.7 client and just sign on once.
>=20
> I don't know why we have three authentication systems, but my job is no=
t to ask why :-)
>=20
> Do you have a link to documentation that could clarify this sort of Ope=
nAFS Server configuration?
Setting up an authentication infrastructure using Kerberos v5 is not an
OpenAFS question. The OpenAFS piece is strictly the creation of the
afs/<cell>@<REALM> service principal entry within the realm(s) that are
to be treated local authentication services for the AFS cell. Those
realms must be listed in the OpenAFS krb.conf file.
http://docs.openafs.org/Reference/5/krb.conf.html
The role of the Kerberos KDC to OpenAFS is documented in the OpenAFS
Administrator's guide.
http://docs.openafs.org/AdminGuide/
How to use Integrated Logon on a Windows system is documented in the
OpenAFS Windows Release Notes:
http://docs.openafs.org/ReleaseNotesWindows/index.html
How to setup cross-realm is a subject for your Kerberos and Active
Directory documentation.
When the 2008 AFS and Kerberos Workshop took place at NJIT the plan at
the time was to convert NJIT's AFS deployment from using kaserver to a
Kerberos v5 realm. Based on your questions I am guessing that project
was never completed.
Jeffrey Altman
--------------enig3037C1B5D08976D6EDF52A14
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)
iQEcBAEBAgAGBQJO4l9yAAoJENxm1CNJffh4zKcH/jmE33BnaBYsLYugEvR5nkoz
VGIXGZcSSuhzWf2PepClhIFdATKbro5KMgUVZGfZxSByB0Gyz6fWusIf9ZSYl1ZB
Iw+DDd5L274Qp960csw/J+4dHRLo4lv+JrgKgXOSOl1/cagAVBDdsQO6sR32ICLG
eXxx06ceo7Udg+6ESdm2X1oU/44j/yLqeWAZXp/QVbwlkUHpy8QPjfVjbUnOFFPx
hkCWWlb4o5XrYUbOGf7WCz5q1L4QF/kb3aS5HX2wPoGGYkLXXIZbgEwxteiSdmy5
zlJLJ4VX4rOArO4FXunzn4PuANS0Ku5sfj4OGU8zG87e2wWiHmELP9FbZkPVdzU=
=lXyb
-----END PGP SIGNATURE-----
--------------enig3037C1B5D08976D6EDF52A14--