[OpenAFS] Active Directory Kerberos ticket allowing to access
Wed, 02 Nov 2011 17:35:23 +0100
2011-11-02 17:17 keltezéssel, stasheck írta:
> I'm still trying to solve some issues regarding proper integration of
> ActiveDirectory into our IT environment. One thing I learned, it's
> impossible to forgo AD Kerberos for MIT Kerberos. Now, I cannot resign
> from MIT Kerberos, so I need some workarounds.
> First, I'm going to block password change from Windows boxes and force
> everyone to change their password on MIT Kerboros - because I can sync
> that to AD.
> Second problem/idea is to create SingleSignOn to OpenAFS just by
> logging into Windows account.
> I've seen bits of pieces that would suggest that it's possible, but I
> still can't wrap my head around it.
> What I know, what I need:
> - all users have account both in Active Directory domain, and in MIT
> Kerberos (another domain) (check)
> - I can form mutual trust relationship between MIT and AD (did that to
> test some previous ideas)
> - a user logs into AD domain, and gets AD Kerberos ticket (but I don't
> know if there's any way to use this ticket to other services?)
> Is there any way to use AD ticket to get into MIT-based AFS?
> PS. I just stumbled on a very interesting article:
> https://twiki.cern.ch/twiki/bin/view/AFSService/UnifiedKerberos but I
> cannot read any links - I don't have a CERN account. I believe that
> some people here work at CERN, would somebody be so kind and share the
> documents linked from this one? Many thanks.
> OpenAFS-info mailing list
Two (complementary) ideas:
1. Try to establish a two way trust between your AD and MIT KDC, that
way your AD users would be treated by AFS as principal@AD.REALM insted
2. A more aggressive approach would be migrating to Samba4 which
realizes an AD (the KDC part being a slightly modified Heimdal KDC), it
is still rough around the edges, but I have a testcell whose KDC is
Samba4, and it works reasonably well.