[OpenAFS] OpenAFS and Windows user account password syncronization

Coy Hile coy.hile@coyhile.com
Thu, 26 May 2011 09:46:21 +0000

On Thu, May 26, 2011 at 8:16 AM, Claudio Prono <claudio.prono@atpss.net> wrote:
> Il 25/05/2011 20.14, Ken Dreyer ha scritto:
>> On Wed, May 25, 2011 at 7:12 AM, Claudio Prono <claudio.prono@atpss.net> wrote:
>>> When the Windows Client change his Kerberos password on the
>>> OpenAFS server
>> I'm not sure what this means, because OpenAFS servers (besides
>> kaserver) don't store users' passwords. Can you provide more
>> information about your Kerberos environment, specifically, what
>> implementation of Kerberos (kaserver, Heimdal, MIT) you are using to
>> authenticate users to AFS?
>> - Ken
> I use Mit Kerberos to store users passwords.

You shouldn't really have to synchronize anything at all.  If you're
doing the dummy account dance
on the AD side; that is, the user object in AD is mapped to a
principal in your MIT realm via alternate
security IDs, then the user simply has to change his password in the
MIT realm directly.  Where I
went to school did this; they simply have a webpage where users can
change their passwords.

Coy Hile