[OpenAFS] Kerberos + Windows

Richard Brittain Richard.Brittain@dartmouth.edu
Fri, 26 Aug 2022 15:11:26 +0000


--_000_BL1PR03MB619813EA18BF8581F216C1D39E759BL1PR03MB6198namp_
Content-Type: text/plain; charset="Windows-1252"
Content-Transfer-Encoding: quoted-printable

The service principal details are fuzzy now =96 we haven=92t touched them i=
n a long time =96 but we use a krb.conf to specify two authentication realm=
s, neither of which matches the cell name.  MIT KDC and Active Directory, w=
ith non-overlapping principal names.  It works great, and the only issue ge=
tting it set up was explaining to the AD Domain admins why we needed this s=
trange afs/mydomain.com@AD.MYDOMAIN.COM<mailto:afs/mydomain.com@AD.MYDOMAIN=
.COM> entry, and get them to promise not to expire it like other special se=
rvice accounts we have.

Richard

From: openafs-info-admin@openafs.org <openafs-info-admin@openafs.org> on be=
half of Ken Hornstein <kenh@cmf.nrl.navy.mil>
Date: Wednesday, August 24, 2022 at 9:22 PM
To: Benjamin Kaduk <kaduk@mit.edu>
Cc: Ben Huntsman <ben@huntsmans.net>, openafs-info@openafs.org <openafs-inf=
o@openafs.org>
Subject: Re: [OpenAFS] Kerberos + Windows
>On Wed, Aug 24, 2022 at 04:53:11PM +0000, Ben Huntsman wrote:
>> ktpass /princ afs/mydomain.com@AD.MYDOMAIN.COM /mapuser srvAFS /mapop ad=
d /out rxkad.keytab +rndpass /crypto all /ptype KRB5_NT_PRINCIPAL +dumpsalt
>
>When the name of the AFS cell does not match the name of the kerberos
>realm, the OpenAFS configuration needs to include a krb.conf file to
>specify the realm the AFS servers use for authentication.  Note that this
>is completely different from the kerberos krb5.conf file and lives in a
>different location.

Ooof, I totally missed that.  Yes, that would do it.

--Ken
_______________________________________________
OpenAFS-info mailing list
OpenAFS-info@openafs.org
https://lists.openafs.org/mailman/listinfo/openafs-info

--_000_BL1PR03MB619813EA18BF8581F216C1D39E759BL1PR03MB6198namp_
Content-Type: text/html; charset="Windows-1252"
Content-Transfer-Encoding: quoted-printable

<html xmlns:o=3D"urn:schemas-microsoft-com:office:office" xmlns:w=3D"urn:sc=
hemas-microsoft-com:office:word" xmlns:m=3D"http://schemas.microsoft.com/of=
fice/2004/12/omml" xmlns=3D"http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv=3D"Content-Type" content=3D"text/html; charset=3DWindows-1=
252">
<meta name=3D"Generator" content=3D"Microsoft Word 15 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
	{font-family:"Cambria Math";
	panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
	{font-family:Calibri;
	panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
	{margin:0in;
	font-size:10.0pt;
	font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
	{mso-style-priority:99;
	color:blue;
	text-decoration:underline;}
span.EmailStyle19
	{mso-style-type:personal-reply;
	font-family:"Calibri",sans-serif;
	color:windowtext;}
.MsoChpDefault
	{mso-style-type:export-only;
	font-size:10.0pt;}
@page WordSection1
	{size:8.5in 11.0in;
	margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
	{page:WordSection1;}
--></style>
</head>
<body lang=3D"EN-US" link=3D"blue" vlink=3D"purple" style=3D"word-wrap:brea=
k-word">
<div class=3D"WordSection1">
<p class=3D"MsoNormal"><span style=3D"font-size:11.0pt">The service princip=
al details are fuzzy now =96 we haven=92t touched them in a long time =96 b=
ut we use a krb.conf to specify two authentication realms, neither of which=
 matches the cell name.&nbsp; MIT KDC and Active
 Directory, with non-overlapping principal names.&nbsp; It works great, and=
 the only issue getting it set up was explaining to the AD Domain admins wh=
y we needed this strange
</span><span style=3D"font-size:11.0pt"><a href=3D"mailto:afs/mydomain.com@=
AD.MYDOMAIN.COM">afs/mydomain.com@AD.MYDOMAIN.COM</a> entry, and get them t=
o promise not to expire it like other special service accounts we have.<o:p=
></o:p></span></p>
<p class=3D"MsoNormal"><span style=3D"font-size:11.0pt"><o:p>&nbsp;</o:p></=
span></p>
<p class=3D"MsoNormal"><span style=3D"font-size:11.0pt">Richard</span><span=
 style=3D"font-size:11.0pt"><o:p></o:p></span></p>
<p class=3D"MsoNormal"><span style=3D"font-size:11.0pt"><o:p>&nbsp;</o:p></=
span></p>
<div style=3D"border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in =
0in 0in">
<p class=3D"MsoNormal" style=3D"margin-bottom:12.0pt"><b><span style=3D"fon=
t-size:12.0pt;color:black">From:
</span></b><span style=3D"font-size:12.0pt;color:black">openafs-info-admin@=
openafs.org &lt;openafs-info-admin@openafs.org&gt; on behalf of Ken Hornste=
in &lt;kenh@cmf.nrl.navy.mil&gt;<br>
<b>Date: </b>Wednesday, August 24, 2022 at 9:22 PM<br>
<b>To: </b>Benjamin Kaduk &lt;kaduk@mit.edu&gt;<br>
<b>Cc: </b>Ben Huntsman &lt;ben@huntsmans.net&gt;, openafs-info@openafs.org=
 &lt;openafs-info@openafs.org&gt;<br>
<b>Subject: </b>Re: [OpenAFS] Kerberos + Windows<o:p></o:p></span></p>
</div>
<div>
<p class=3D"MsoNormal"><span style=3D"font-size:11.0pt">&gt;On Wed, Aug 24,=
 2022 at 04:53:11PM +0000, Ben Huntsman wrote:<br>
&gt;&gt; ktpass /princ afs/mydomain.com@AD.MYDOMAIN.COM /mapuser srvAFS /ma=
pop add /out rxkad.keytab +rndpass /crypto all /ptype KRB5_NT_PRINCIPAL +du=
mpsalt<br>
&gt;<br>
&gt;When the name of the AFS cell does not match the name of the kerberos<b=
r>
&gt;realm, the OpenAFS configuration needs to include a krb.conf file to<br=
>
&gt;specify the realm the AFS servers use for authentication.&nbsp; Note th=
at this<br>
&gt;is completely different from the kerberos krb5.conf file and lives in a=
<br>
&gt;different location.<br>
<br>
Ooof, I totally missed that.&nbsp; Yes, that would do it.<br>
<br>
--Ken<br>
_______________________________________________<br>
OpenAFS-info mailing list<br>
OpenAFS-info@openafs.org<br>
<a href=3D"https://lists.openafs.org/mailman/listinfo/openafs-info">https:/=
/lists.openafs.org/mailman/listinfo/openafs-info</a><o:p></o:p></span></p>
</div>
</div>
</body>
</html>

--_000_BL1PR03MB619813EA18BF8581F216C1D39E759BL1PR03MB6198namp_--