[OpenAFS] authenticating using AD servers hidden behind firewall

John Tang Boyland boyland@uwm.edu
Mon, 04 Jun 2012 14:18:29 -0500

On Mon, 04 Jun 2012 at 13:07:36 MDT, Ken Dreyer wrote:
] On Mon, Jun 4, 2012 at 12:51 PM, John Tang Boyland
] <boyland@pabst.cs.uwm.edu> wrote:
] > We have configured our AFS servers to authenticate either using
] > our institution AD servers or using our own MIT kerberos realm.
] Our situation is sort of similar, except we're using Heimdal instead
] of MIT. In our environment, Heimdal and AFS is world-accessible, and
] AD is protected behind a VPN.  There's no trust relationship between
] the two Kerberos realms; we're just using multiple realms for a single
] cell.

Same here.

] If a user has a need to access AFS without any VPN connection, we'll
] create a Heimdal account for the user. As long as all the AFS services
] are exposed to the internet, it works.

Same here, but creating the account is what we want to avoid.
The user needs to remember a second password.
Right now, we batch create MIT principals for every student
who might need one.  These new principals need new passwords.
Or do you create the Heimdahl principals on demand?  What
is the protocol?

] I'm wondering, is AFS behind a more restrictive firewall policy in
] your environment? Or maybe you're just looking to reduce the number of
] MIT user principals that you manage?

The latter.  The AFS servers are not behind firewalls.

John Boyland