[OpenAFS] what is the state of the art client setup for openafs + krb5 + windows

John Perkins john@cs.wisc.edu
Fri, 11 Apr 2014 11:35:32 -0500


We run recent 1.7 clients on our Windows 7 64-bit and Server 2008R2 
computers along with MIT KFW 3.2.2, and we use the integrated login.

Our setup is perhaps a little different than most, but we use alternate 
security identities at our site.  For a user "username":

     cs.wisc.edu                AFS cell name
     username@CS.WISC.EDU    kerberos principal
     username@AD.CS.WISC.EDU    Windows domain user

All passwords for users are in the kerberos domain, and a kerberos trust 
between the MIT KDC and domain controllers is in place.  The Windows 
user has an "altSecurityIdentities" entry set pointed at 
"Kerberos:username@CS.WISC.EDU".

This setup will fetch a kerberos ticket from the MIT KDC at login, and 
that ticket is used to get an AFS token during login with integrated 
login enabled.  It has worked quite well for our site.

Documentation from Microsoft for how to set this up was originally 
written for Windows 2000 (?!), but it still seems to work fine with 
modern Windows. 
http://technet.microsoft.com/en-us/library/bb742433.aspx  Weak 
encryption types need to be enabled in group policy to allow DES 
principals to authenticate and obtain an AFS token.

John Perkins
UW-Madison Computer Sciences



On 04/10/2014 03:34 AM, Gergely Risko wrote:
> Hi,
>
> In my cell, I use Heimdal + OpenAFS fileserver on linux.
>
> I only enabled krb5, the only keytype for my afs principal is
> aes256-cts-hmac-sha1-96.  Everything works great on linux clients with
> the usual kinit from heimdal, they even get tokens automatically.  For
> MIT clients I have to run an extra aklog, but that's OK.  MacOS works
> too out of the box.
>
> My question is about Windows: what is the currently recommeneded
> practice on windows clients for this kind of KRB5 only installations?  I
> managed to get it working with some combination of MIT kerberos for
> windows and openafs 1.7, but it involves the user calling kinit and
> aklog in the command line.  This is ugly, because the user has to know,
> that the graphical password input window is useless and should be ignored.
>
> So, what exact binaries do you guys download and use on Windows 7 to get
> graphical kerberos password prompt and openafs tokens?
>
> Thanks,
> Gergely
>
> _______________________________________________
> OpenAFS-info mailing list
> OpenAFS-info@openafs.org
> https://lists.openafs.org/mailman/listinfo/openafs-info