[OpenAFS] Adding an AD mechanism while keeping another realm
John Tang Boyland
boyland@uwm.edu
Thu, 15 Dec 2011 11:01:44 -0600
Dear OpenAFS community,
I've been maintaining my own cell (cs.uwm.edu) including a MIT KDC
for realm CS.UWM.EDU. The campus is now providing AD kerberos through a
realm I'll call UWM.EDU. I'd like to use this to authenticate the
majority of users (students in classes) while keeping (for now) AFS
administrator principals and perhaps a few others in my kerberos realm.
In other words, I'd like to authenticate against two realms. I can be
responsible for ensuring compatability between my little realm and the
campus realm. Using two realms is also attractive as a possible path to
getting rid of my CS.UWM.EDU realm altogether, sometime in the future.
I'm wondering whether (1) this is practical and (2) the implementation
route I give below makes sense.
Proposed implementation:
1. Follow the instructions in
http://wiki.openafs.org/AFSLore/WindowsK5AfsServicePrincipal/
to create a service principal afs/cs.uwm.edu@UWM.EDU
with a new kvno. Add the key to each AFS server's key file.
2. Somehow, create a file /usr/afs/etc/krb5.conf
on all AFS servers that lists both realms.
Trying to read between the lines, perhaps what this file needs is:
[libdefaults]
default_realm = UWM.EDU
[realms]
CS.UWM.EDU = {
kdc = kerberos.cs.uwm.edu
kdc = kerberos-1.cs.uwm.edu
master_kdc = kerberos.cs.uwm.edu
admin_server = kerberos.cs.uwm.edu
}
UWM.EDU = {
kdc = kerberos.uwm.edu
}
[appdefaults]
afs_krb5 = {
CS.UWM.EDU = {
afs/cs.uwm.edu = false }
UWM.EDU = {
afs/cs.uwm.edu = false }
}
I'm very unusure of this step -- the Wiki page I pointed to just says
to add the AD realm to the krb5.conf, but doesn't explain how.
I found the "[appdefaults]" section mentioned on a different wiki page.
The "= false" part is confusing too.
3. Then a user can authenticate either against CS.UWM.EDU or against
UWM.EDU and using
aklog -c cs.uwm.edu -k UWM.EDU
or
aklog -c cs.uwm.edu -k CS.UWM.EDU
and either way will work. Right?
4.Network Identity Manager can be set up to take UWM.EDU as the realm
(by default) and cs.uwm.edu as the cell for AFS.