[OpenAFS] Adding an AD mechanism while keeping another realm

Jeffrey Altman jaltman@secure-endpoints.com
Thu, 15 Dec 2011 13:47:53 -0500


This is an OpenPGP/MIME signed message (RFC 2440 and 3156)
--------------enig555DDADBE16310A0976EA8EE
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

On 12/15/2011 12:01 PM, John Tang Boyland wrote:
> Dear OpenAFS community,
>=20
>    I've been maintaining my own cell (cs.uwm.edu) including a MIT KDC
> for realm CS.UWM.EDU.  The campus is now providing AD kerberos through =
a
> realm I'll call UWM.EDU.  I'd like to use this to authenticate the
> majority of users (students in classes) while keeping (for now) AFS
> administrator principals and perhaps a few others in my kerberos realm.=

> In other words, I'd like to authenticate against two realms.  I can be
> responsible for ensuring compatability between my little realm and the
> campus realm.  Using two realms is also attractive as a possible path t=
o
> getting rid of my CS.UWM.EDU realm altogether, sometime in the future.

Doing so is fine provided that names in CS.UWM.EDU will always match the
names in the UWM.EDU realm.

> I'm wondering whether (1) this is practical and (2) the implementation
> route I give below makes sense.
>=20
> Proposed implementation:
>=20
> 1. Follow the instructions in
>    http://wiki.openafs.org/AFSLore/WindowsK5AfsServicePrincipal/
> to create a service principal afs/cs.uwm.edu@UWM.EDU
> with a new kvno.  Add the key to each AFS server's key file.
>=20
>=20
> 2. Somehow, create a file /usr/afs/etc/krb5.conf
> on all AFS servers that lists both realms.=20

The file is .../afs/etc/krb.conf not krb5.conf

http://docs.openafs.org/Reference/5/krb.conf.html

> Trying to read between the lines, perhaps what this file needs is:
>=20
> [libdefaults]
> default_realm =3D UWM.EDU
>=20
> [realms]
> CS.UWM.EDU =3D {
>   kdc =3D kerberos.cs.uwm.edu
>   kdc =3D kerberos-1.cs.uwm.edu
>   master_kdc =3D kerberos.cs.uwm.edu
>   admin_server =3D kerberos.cs.uwm.edu
> }
> UWM.EDU =3D {
>    kdc =3D kerberos.uwm.edu
> }
>=20
> [appdefaults]=20
>   afs_krb5 =3D {=20
>     CS.UWM.EDU =3D {=20
>       afs/cs.uwm.edu =3D false }=20
>     UWM.EDU =3D {
>       afs/cs.uwm.edu =3D false }     =20
>   }
>=20
> I'm very unusure of this step -- the Wiki page I pointed to just says
> to add the AD realm to the krb5.conf, but doesn't explain how.
> I found the "[appdefaults]" section mentioned on a different wiki page.=

> The "=3D false" part is confusing too.

OpenAFS does not use a Kerberos v5 library and therefore does not need a
krb5.conf file.   The krb5.conf file is used on the client machines and
I assume you already have one for your CS.UWM.EDU realm.


> 3. Then a user can authenticate either against CS.UWM.EDU or against
> UWM.EDU and using=20
> 	aklog -c cs.uwm.edu -k UWM.EDU
> or
> 	aklog -c cs.uwm.edu -k CS.UWM.EDU
> and either way will work.  Right?

They should use the realm the user obtained their TGT from.  aklog tries
 afs/cs.uwm.edu@<USER-REALM>  first.

> 4.Network Identity Manager can be set up to take UWM.EDU as the realm
> (by default) and cs.uwm.edu as the cell for AFS.

Yes.


--------------enig555DDADBE16310A0976EA8EE
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)

iQEcBAEBAgAGBQJO6kDZAAoJENxm1CNJffh4tVYIAK63y9OlnzDDNutLyU7K9gSD
oIqg9RgpzBma3pfvK8WMFP5siuI4tc03WN5YUaHiDXLlgnKXBpK6YrH3UfoDnlU8
ui4vxhVAlzrCK4rVG0vm2pbGTEj0IxtNPeKe2teWQL84BTtLEmqkusDoT/L4LwC+
lXH+5lY/vUaJw5F+yQdMmlXf97ULSFvsT55tpY+uK3wQlgKPa3b56nnYNUT5Dwc6
58yb6m6XBSJ9sYFT0X+gboToUqd1GZa61NHcsQWVn+OzjuBAuut2rNhn7WAh9hr+
BdKCqFeeAe8Fi2y87Su2jBSh0JN1YNGRAprdTcqHNAlw9ufx5t01KPoOVL4H4vQ=
=E8HH
-----END PGP SIGNATURE-----

--------------enig555DDADBE16310A0976EA8EE--