[OpenAFS] Active Directory Kerberos ticket allowing to access OpenAFS cell?

Stanislaw Kaminski stasheck.fora@gmail.com
Thu, 3 Nov 2011 07:58:49 +0100

2011/11/2 Douglas E. Engert <deengert@anl.gov>:
> On 11/2/2011 11:17 AM, stasheck wrote:
>> Hi,
>> I'm still trying to solve some issues regarding proper integration of
>> ActiveDirectory into our IT environment. One thing I learned, it's
>> impossible to forgo AD Kerberos for MIT Kerberos. Now, I cannot resign
>> from MIT Kerberos, so I need some workarounds.
> When you say "Impossible to forgo AD Kerberos for MIT Kerberos."
> do you mean Windows machine and uses require AD accounts. Which is
> true. AD uses Krb5, and adds a PAC to the Krb5 tickets.
> I don't know what you mean by "I cannot resign".

Sorry, I meant "I have to use AD and MIT at the same time, for various reasons".

> I would also assume that the AD domain name is *NOT* the same as the
> MIT Kerberos realm name. If they are, this is going to be a major
> conversion. (The afs cell name could match either one, or be different
> from both.)

No, actually MIT Kerberos uses our domain name, and AD will use a subdomain.

>> First, I'm going to block password change from Windows boxes and force
>> everyone to change their password on MIT Kerboros - because I can sync
>> that to AD.
> There should be no reason that the password have to be in sync.

Unless I have users who will at one time of another use both of those
services, and I want my users to remember just one password for that.

>> Second problem/idea is to create SingleSignOn to OpenAFS just by
>> logging into Windows account.
> Yes, do it all the time. See the KfW or the Network Identity Manager
> from Secure-endpoints.
> http://www.secure-endpoints.com/#Network Identity Manager
> and
> http://www.secure-endpoints.com/#openafs

Well, I am using KfW, but since I have no domain yet I wasn't able to
test if KfW automagically gets Kerberos tickes while user logs on. I
don't want it to ask for a password second time, after AD logon.

>> Is there any way to use AD ticket to get into MIT-based AFS?
> Yes cross realm, or since you are trying to sync passwords between the two,
> that implies a user in one realm is the same user in the other realm.
> As Andrew said in his note, the AFS cell could be in both realms
> at the same time. (There might be some issues as to how a client
> determines the default Kerberos realm of the afs cell.)

Yes, of course those are the same. I wasn't aware that AFS allows
multiple Kerberos domains (so thanks, Andrew) - still have much
learning to do. That'd of course solve one part of the problem.

So, does KfW automatically get AD ticket? (back to my VMs)