[OpenAFS] authenticating using AD servers hidden behind firewall

Ken Dreyer ktdreyer@ktdreyer.com
Mon, 4 Jun 2012 13:35:54 -0600

On Mon, Jun 4, 2012 at 1:18 PM, John Tang Boyland
<boyland@pabst.cs.uwm.edu> wrote:
> Or do you create the Heimdahl principals on demand? =C2=A0What
> is the protocol?

Currently we do this on-demand, if a user requests it.

In order to automate the Heimdal account creation, we are looking into
building something around remctl. So if you had a TGT for
"kdreyer@AD.EXAMPLE.NET", you could use remctl to create a new
"kdreyer@HEIMDAL.EXAMPLE.COM" principal, and there would be no need
for an admin action. Ideally we'd wrap this in a web interface along
with mod_auth_kerb, so users just have to click a button.

Our remctl architecture is a little ways down on the todo list, though :)

More and more resources are moving behind our organization's VPN, so
it's more common for folks to have VPN access today than it used to
be. Out of about 500 users, very few have requested a separate Heimdal
password, and most just use the VPN.

Like you point out, the dual-passwords thing is a real pain. So far
it's the only way we've been able to solve this particular problem.

- Ken