[OpenAFS] Adding an AD mechanism while keeping another realm

Jeffrey Altman jaltman@secure-endpoints.com
Thu, 15 Dec 2011 13:47:53 -0500

This is an OpenPGP/MIME signed message (RFC 2440 and 3156)
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

On 12/15/2011 12:01 PM, John Tang Boyland wrote:
> Dear OpenAFS community,
>    I've been maintaining my own cell (cs.uwm.edu) including a MIT KDC
> for realm CS.UWM.EDU.  The campus is now providing AD kerberos through =
> realm I'll call UWM.EDU.  I'd like to use this to authenticate the
> majority of users (students in classes) while keeping (for now) AFS
> administrator principals and perhaps a few others in my kerberos realm.=

> In other words, I'd like to authenticate against two realms.  I can be
> responsible for ensuring compatability between my little realm and the
> campus realm.  Using two realms is also attractive as a possible path t=
> getting rid of my CS.UWM.EDU realm altogether, sometime in the future.

Doing so is fine provided that names in CS.UWM.EDU will always match the
names in the UWM.EDU realm.

> I'm wondering whether (1) this is practical and (2) the implementation
> route I give below makes sense.
> Proposed implementation:
> 1. Follow the instructions in
>    http://wiki.openafs.org/AFSLore/WindowsK5AfsServicePrincipal/
> to create a service principal afs/cs.uwm.edu@UWM.EDU
> with a new kvno.  Add the key to each AFS server's key file.
> 2. Somehow, create a file /usr/afs/etc/krb5.conf
> on all AFS servers that lists both realms.=20

The file is .../afs/etc/krb.conf not krb5.conf


> Trying to read between the lines, perhaps what this file needs is:
> [libdefaults]
> default_realm =3D UWM.EDU
> [realms]
> CS.UWM.EDU =3D {
>   kdc =3D kerberos.cs.uwm.edu
>   kdc =3D kerberos-1.cs.uwm.edu
>   master_kdc =3D kerberos.cs.uwm.edu
>   admin_server =3D kerberos.cs.uwm.edu
> }
> UWM.EDU =3D {
>    kdc =3D kerberos.uwm.edu
> }
> [appdefaults]=20
>   afs_krb5 =3D {=20
>     CS.UWM.EDU =3D {=20
>       afs/cs.uwm.edu =3D false }=20
>     UWM.EDU =3D {
>       afs/cs.uwm.edu =3D false }     =20
>   }
> I'm very unusure of this step -- the Wiki page I pointed to just says
> to add the AD realm to the krb5.conf, but doesn't explain how.
> I found the "[appdefaults]" section mentioned on a different wiki page.=

> The "=3D false" part is confusing too.

OpenAFS does not use a Kerberos v5 library and therefore does not need a
krb5.conf file.   The krb5.conf file is used on the client machines and
I assume you already have one for your CS.UWM.EDU realm.

> 3. Then a user can authenticate either against CS.UWM.EDU or against
> UWM.EDU and using=20
> 	aklog -c cs.uwm.edu -k UWM.EDU
> or
> 	aklog -c cs.uwm.edu -k CS.UWM.EDU
> and either way will work.  Right?

They should use the realm the user obtained their TGT from.  aklog tries
 afs/cs.uwm.edu@<USER-REALM>  first.

> 4.Network Identity Manager can be set up to take UWM.EDU as the realm
> (by default) and cs.uwm.edu as the cell for AFS.


Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

Version: GnuPG v1.4.9 (MingW32)