[OpenAFS] authenticating using AD servers hidden behind firewall

Ken Dreyer ktdreyer@ktdreyer.com
Mon, 4 Jun 2012 13:07:36 -0600

On Mon, Jun 4, 2012 at 12:51 PM, John Tang Boyland
<boyland@pabst.cs.uwm.edu> wrote:
> We have configured our AFS servers to authenticate either using
> our institution AD servers or using our own MIT kerberos realm.

Our situation is sort of similar, except we're using Heimdal instead
of MIT. In our environment, Heimdal and AFS is world-accessible, and
AD is protected behind a VPN.  There's no trust relationship between
the two Kerberos realms; we're just using multiple realms for a single

If a user has a need to access AFS without any VPN connection, we'll
create a Heimdal account for the user. As long as all the AFS services
are exposed to the internet, it works.

I'm wondering, is AFS behind a more restrictive firewall policy in
your environment? Or maybe you're just looking to reduce the number of
MIT user principals that you manage?

- Ken