[OpenAFS] Fixing old screw-ups, then adding Active Directory Domain

Mickey Lane mlane@sinenomine.net
Wed, 5 Oct 2011 10:07:41 -0500

Re: questions by stasheck and a response by Douglas E. Engert

> >
> > Server names are not a big problem. If the two AFS cells have the same
> > name that may be a problem.

The cell lookup process (CellServDB, DNS or registry (Windows)) starts with=
 the name and there's no provision to treat two different servers as one so=
 yes, that is a problem.
> They have, unfortunately. Is there an easy way to change AFS cell name?

Easy? No. Possible? Yes but it's painful.

> >> What's more, now we've got plans to introduce AD domain in "ours"
> >> network. Great, another Kerberos, another AAA system in place. How
> >> about I (and my fellow sysadmins) will try to fix and simplify it as
> >> much as possible?

There are differences between Server 2008 and Server 2008 R2. I'm not 100% =
sure but I don't think your plan will work with the non-R2 version.

> > And I assume the AD top level domain name would end up being the same
> > as the current 2 Kerberos realm names????
> I surely hope it doesn't. I am mentally prepared to create some subdomain
> for AD - like ad.test.int, and the Kerberos domain would be named the sam=
> But what I would like to do is to allow users to have just one password f=
or all
> Kerberos-authenticated services.
> >> I've already put in motion a plan to "flatten" DNS space, so names
> >> will be unique - so we can treat that as nearly non-issue.
> >
> > Keep in mind, that AD like to have the DCs and other windows servers
> > with a DNS domain name =3D=3D AD domin name. The AD domin name is then
> the Kerberos realm name (in uppercase) when AD is using Kerberos.
> That's ok.

Having the AD (lower case) and realm name (upper case) match is mandatory. =
If I remember correctly, you get the undocumented (undefined?) error 68 whe=
n attempting to get a TGT if they don't.

> > You can register other Unix machines in AD Kerberos where the DNS
> > domain name is not the same as the AD domain name.
> You got me lost - I don't know what you're reffering to.

On the AD server, you use ktpass to register the name of the cell and get a=
 keytab for use on that cell server. You can register more than one name. (=
I think. I haven actually tried that.)

> That's something I hope for, except that this pesky "contractors"
> network and its stupid firewall comes in my way. I'd still need to solve =
> problem on how to auth users in "contractors" network despite the one-way
> firewall (possible, I guess), and how to block "ours"-only users from log=
> on "contractors". I feel there should be some way to do this, I just don'=
> know what is it.
> Maybe I can use this parallel:
> let's say there are users in Finances and Sales. Both departaments have
> separate LANs. I want to give both Finances and Sales the same Linux
> workstations, but somehow refrain Sales users from logging on Finance's
> computers - but those from Finances can login wherever they want.
> Is there a way to do that?

You may be able use OpenAFS access control lists (ACLs) to control which gr=
oup of users can access things in a given cell.