[OpenAFS] Adding an AD mechanism while keeping another realm
Jeffrey Altman
jaltman@secure-endpoints.com
Thu, 15 Dec 2011 13:47:53 -0500
This is an OpenPGP/MIME signed message (RFC 2440 and 3156)
--------------enig555DDADBE16310A0976EA8EE
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
On 12/15/2011 12:01 PM, John Tang Boyland wrote:
> Dear OpenAFS community,
>=20
> I've been maintaining my own cell (cs.uwm.edu) including a MIT KDC
> for realm CS.UWM.EDU. The campus is now providing AD kerberos through =
a
> realm I'll call UWM.EDU. I'd like to use this to authenticate the
> majority of users (students in classes) while keeping (for now) AFS
> administrator principals and perhaps a few others in my kerberos realm.=
> In other words, I'd like to authenticate against two realms. I can be
> responsible for ensuring compatability between my little realm and the
> campus realm. Using two realms is also attractive as a possible path t=
o
> getting rid of my CS.UWM.EDU realm altogether, sometime in the future.
Doing so is fine provided that names in CS.UWM.EDU will always match the
names in the UWM.EDU realm.
> I'm wondering whether (1) this is practical and (2) the implementation
> route I give below makes sense.
>=20
> Proposed implementation:
>=20
> 1. Follow the instructions in
> http://wiki.openafs.org/AFSLore/WindowsK5AfsServicePrincipal/
> to create a service principal afs/cs.uwm.edu@UWM.EDU
> with a new kvno. Add the key to each AFS server's key file.
>=20
>=20
> 2. Somehow, create a file /usr/afs/etc/krb5.conf
> on all AFS servers that lists both realms.=20
The file is .../afs/etc/krb.conf not krb5.conf
http://docs.openafs.org/Reference/5/krb.conf.html
> Trying to read between the lines, perhaps what this file needs is:
>=20
> [libdefaults]
> default_realm =3D UWM.EDU
>=20
> [realms]
> CS.UWM.EDU =3D {
> kdc =3D kerberos.cs.uwm.edu
> kdc =3D kerberos-1.cs.uwm.edu
> master_kdc =3D kerberos.cs.uwm.edu
> admin_server =3D kerberos.cs.uwm.edu
> }
> UWM.EDU =3D {
> kdc =3D kerberos.uwm.edu
> }
>=20
> [appdefaults]=20
> afs_krb5 =3D {=20
> CS.UWM.EDU =3D {=20
> afs/cs.uwm.edu =3D false }=20
> UWM.EDU =3D {
> afs/cs.uwm.edu =3D false } =20
> }
>=20
> I'm very unusure of this step -- the Wiki page I pointed to just says
> to add the AD realm to the krb5.conf, but doesn't explain how.
> I found the "[appdefaults]" section mentioned on a different wiki page.=
> The "=3D false" part is confusing too.
OpenAFS does not use a Kerberos v5 library and therefore does not need a
krb5.conf file. The krb5.conf file is used on the client machines and
I assume you already have one for your CS.UWM.EDU realm.
> 3. Then a user can authenticate either against CS.UWM.EDU or against
> UWM.EDU and using=20
> aklog -c cs.uwm.edu -k UWM.EDU
> or
> aklog -c cs.uwm.edu -k CS.UWM.EDU
> and either way will work. Right?
They should use the realm the user obtained their TGT from. aklog tries
afs/cs.uwm.edu@<USER-REALM> first.
> 4.Network Identity Manager can be set up to take UWM.EDU as the realm
> (by default) and cs.uwm.edu as the cell for AFS.
Yes.
--------------enig555DDADBE16310A0976EA8EE
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)
iQEcBAEBAgAGBQJO6kDZAAoJENxm1CNJffh4tVYIAK63y9OlnzDDNutLyU7K9gSD
oIqg9RgpzBma3pfvK8WMFP5siuI4tc03WN5YUaHiDXLlgnKXBpK6YrH3UfoDnlU8
ui4vxhVAlzrCK4rVG0vm2pbGTEj0IxtNPeKe2teWQL84BTtLEmqkusDoT/L4LwC+
lXH+5lY/vUaJw5F+yQdMmlXf97ULSFvsT55tpY+uK3wQlgKPa3b56nnYNUT5Dwc6
58yb6m6XBSJ9sYFT0X+gboToUqd1GZa61NHcsQWVn+OzjuBAuut2rNhn7WAh9hr+
BdKCqFeeAe8Fi2y87Su2jBSh0JN1YNGRAprdTcqHNAlw9ufx5t01KPoOVL4H4vQ=
=E8HH
-----END PGP SIGNATURE-----
--------------enig555DDADBE16310A0976EA8EE--