[OpenAFS] authenticating using AD servers hidden behind firewall

John Tang Boyland boyland@uwm.edu
Mon, 04 Jun 2012 13:51:39 -0500

We have configured our AFS servers to authenticate either using
our institution AD servers or using our own MIT kerberos realm.
We've been trying to get out of producing principals for students
in our own realm and instead use the institution AD servers.
Unfortunately, for security reasons, the AD servers cannot be
accessed from off campus, but the students all have ssh access
to on-campus Unix compute servers, which can access the AD servers.

I've been trying to think of ways to work around the restriction
that AD servers cannot be accessed from off campus.

It's pretty easy to get a forwardable (and addressless) TGT from
kinit and then copy it off campus, but "aklog" needs access to the KDC

I've come up with a few ideas, but I'm not sure if they will be

(1) Set up a kerberos relay server: a host pretends to be the KDC and then
    relays all requests send to it to the real KDC.

    I suspect this is infeasible.  Kerberos is probably designed to prevent
    this from working for security reasons.

(2) Hack "aklog" to split it into two parts: one to get the token
    and then another to take the token and stuff it into the kernel.
    Then the first part can be run on the compute server,
    and then the token can be copied back to the off-campus computer
    where it it presented to AFS.

    This seems doable, but it will be a pain to get executables
    to work for windows as well as non-windows.

Does anyone have experience with this sort of situation?

Best regards,