[OpenAFS-win32-devel] Kerberos 5 + AD + OpenAFS
Mickey Lane
mlane@sinenomine.net
Mon, 24 Dec 2012 13:00:47 +0000
--_000_1C42394BB89E4C43B9AD690C59B8A95F022DA2ORD2MBX03Fmex05ml_
Content-Type: text/plain; charset="iso-2022-jp"
Content-Transfer-Encoding: quoted-printable
First, you should move these questions to the openafs-info list. The openaf=
s-win32-devel is for people making changes to the Windows code.
You can use Server 2008 R2 as a KDC.
On the AD server, make an account named =1B$B!F=1B(Bafs=1B$B!G=1B(B. Then u=
se the ktpass command:
ktpass /princ afs/your.cell@YOUR.AD.DOMAIN /mapuser afs /mapop add /out afs=
_keytab +rndpass /crypto DES-CBC-CRC +desonly /ptype KRB5_NT_PRINCIPAL +dum=
psalt
The output will include a line containing something like =1B$B!H!D=1B(B pty=
pe 1 (KRB5_NT_PRINCIPAL) vno 3 etype 0x1 (DES-CBC-CRC) keylength=1B$B!D!I=
=1B(B Note the vno number (3 in this case).
Copy the afs_keytab file to the cell server machine. Then use asetkey. Use =
the vno number from above.
asetkey add 3 afs_keytab afs/your.cell@YOUR.AD.DOMAIN<mailto:afs/your.cell@=
YOUR.AD.DOMAIN>
From: openafs-win32-devel-admin@openafs.org [mailto:openafs-win32-devel-adm=
in@openafs.org] On Behalf Of ???
Sent: Monday, December 24, 2012 3:22 AM
To: (OpenAFS) Lars Schimmer; openafs-win32-devel@openafs.org
Subject: [OpenAFS-win32-devel] Kerberos 5 + AD + OpenAFS
Dear all=1B$B!'=1B(B
I need to make a solution that includes Kerberos,AD=
and OpenAFS.
I installed the AD Domain Control on the windows 20=
08r2,and I installed the Identity Management for UNIX role in the domain co=
ntroller.I fond the 2008r2 had the KDC,so I'd like to use the DC as the ker=
beros 5 server.I hope all the domain user can use the OpenAFS without authe=
ntication.
How to make the OpenAFS a service principal?
Is it must to jion the OpenAFS server to the Domain=
?And how?
Is there any successful solution offered in the int=
ernet?
I hope someone could give me some documents.
Thanks very much.
--_000_1C42394BB89E4C43B9AD690C59B8A95F022DA2ORD2MBX03Fmex05ml_
Content-Type: text/html; charset="iso-2022-jp"
Content-Transfer-Encoding: quoted-printable
<html xmlns:v=3D"urn:schemas-microsoft-com:vml" xmlns:o=3D"urn:schemas-micr=
osoft-com:office:office" xmlns:w=3D"urn:schemas-microsoft-com:office:word" =
xmlns:m=3D"http://schemas.microsoft.com/office/2004/12/omml" xmlns=3D"http:=
//www.w3.org/TR/REC-html40">
<head>
<meta http-equiv=3D"Content-Type" content=3D"text/html; charset=3Diso-2022-=
jp">
<meta name=3D"Generator" content=3D"Microsoft Word 15 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:SimSun;
panose-1:2 1 6 0 3 1 1 1 1 1;}
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:"\@SimSun";
panose-1:2 1 6 0 3 1 1 1 1 1;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:SimSun;
mso-fareast-language:ZH-CN;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#0563C1;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:#954F72;
text-decoration:underline;}
p.MsoListParagraph, li.MsoListParagraph, div.MsoListParagraph
{mso-style-priority:34;
margin-top:0in;
margin-right:0in;
margin-bottom:0in;
margin-left:.5in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:SimSun;
mso-fareast-language:ZH-CN;}
span.apple-tab-span
{mso-style-name:apple-tab-span;}
span.EmailStyle18
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri","sans-serif";}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext=3D"edit" spidmax=3D"1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext=3D"edit">
<o:idmap v:ext=3D"edit" data=3D"1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang=3D"EN-US" link=3D"#0563C1" vlink=3D"#954F72">
<div class=3D"WordSection1">
<p class=3D"MsoNormal"><span style=3D"font-size:11.0pt;font-family:"Ca=
libri","sans-serif";color:#1F497D;mso-fareast-language:EN-US=
">First, you should move these questions to the openafs-info list. The open=
afs-win32-devel is for people making changes to the Windows
code.<o:p></o:p></span></p>
<p class=3D"MsoNormal"><span style=3D"font-size:11.0pt;font-family:"Ca=
libri","sans-serif";color:#1F497D;mso-fareast-language:EN-US=
"><o:p> </o:p></span></p>
<p class=3D"MsoNormal"><span style=3D"font-size:11.0pt;font-family:"Ca=
libri","sans-serif";color:#1F497D;mso-fareast-language:EN-US=
">You can use Server 2008 R2 as a KDC.<o:p></o:p></span></p>
<p class=3D"MsoNormal"><span style=3D"font-size:11.0pt;font-family:"Ca=
libri","sans-serif";color:#1F497D;mso-fareast-language:EN-US=
"><o:p> </o:p></span></p>
<p class=3D"MsoNormal"><span style=3D"font-size:11.0pt;font-family:"Ca=
libri","sans-serif";color:#1F497D;mso-fareast-language:EN-US=
">On the AD server, make an account named =1B$B!F=1B(Bafs=1B$B!G=1B(B. Then=
use the ktpass command:<o:p></o:p></span></p>
<p class=3D"MsoNormal"><span style=3D"font-size:11.0pt;font-family:"Ca=
libri","sans-serif";color:#1F497D;mso-fareast-language:EN-US=
"><o:p> </o:p></span></p>
<p class=3D"MsoNormal"><span style=3D"font-size:11.0pt;font-family:"Ca=
libri","sans-serif";color:#1F497D;mso-fareast-language:EN-US=
">ktpass /princ afs/your.cell@YOUR.AD.DOMAIN /mapuser afs /mapop add /out a=
fs_keytab +rndpass /crypto DES-CBC-CRC +desonly /ptype KRB5_NT_PRIN=
CIPAL
+dumpsalt<o:p></o:p></span></p>
<p class=3D"MsoNormal"><span style=3D"font-size:11.0pt;font-family:"Ca=
libri","sans-serif";color:#1F497D;mso-fareast-language:EN-US=
"><o:p> </o:p></span></p>
<p class=3D"MsoNormal"><span style=3D"font-size:11.0pt;font-family:"Ca=
libri","sans-serif";color:#1F497D;mso-fareast-language:EN-US=
">The output will include a line containing something like =1B$B!H!D=1B(B p=
type 1 (KRB5_NT_PRINCIPAL) vno 3 etype 0x1 (DES-CBC-CRC) keylength=1B$B!D!I=
=1B(B
Note the vno number (3 in this case). <o:p></o:p></span></p>
<p class=3D"MsoNormal"><span style=3D"font-size:11.0pt;font-family:"Ca=
libri","sans-serif";color:#1F497D;mso-fareast-language:EN-US=
"><o:p> </o:p></span></p>
<p class=3D"MsoNormal"><span style=3D"font-size:11.0pt;font-family:"Ca=
libri","sans-serif";color:#1F497D;mso-fareast-language:EN-US=
">Copy the afs_keytab file to the cell server machine. Then use asetkey. Us=
e the vno number from above.<o:p></o:p></span></p>
<p class=3D"MsoNormal"><span style=3D"font-size:11.0pt;font-family:"Ca=
libri","sans-serif";color:#1F497D;mso-fareast-language:EN-US=
"><o:p> </o:p></span></p>
<p class=3D"MsoNormal"><span style=3D"font-size:11.0pt;font-family:"Ca=
libri","sans-serif";color:#1F497D;mso-fareast-language:EN-US=
">asetkey add 3 afs_keytab
<a href=3D"mailto:afs/your.cell@YOUR.AD.DOMAIN">afs/your.cell@YOUR.AD.DOMAI=
N</a><o:p></o:p></span></p>
<p class=3D"MsoNormal"><span style=3D"font-size:11.0pt;font-family:"Ca=
libri","sans-serif";color:#1F497D;mso-fareast-language:EN-US=
"><o:p> </o:p></span></p>
<p class=3D"MsoNormal"><span style=3D"font-size:11.0pt;font-family:"Ca=
libri","sans-serif";color:#1F497D;mso-fareast-language:EN-US=
"><o:p> </o:p></span></p>
<p class=3D"MsoNormal"><b><span style=3D"font-size:11.0pt;font-family:"=
;Calibri","sans-serif"">From:</span></b><span style=3D"font-=
size:11.0pt;font-family:"Calibri","sans-serif""> openaf=
s-win32-devel-admin@openafs.org [mailto:openafs-win32-devel-admin@openafs.o=
rg]
<b>On Behalf Of </b>???<br>
<b>Sent:</b> Monday, December 24, 2012 3:22 AM<br>
<b>To:</b> (OpenAFS) Lars Schimmer; openafs-win32-devel@openafs.org<br>
<b>Subject:</b> [OpenAFS-win32-devel] Kerberos 5 + AD + OpenAFS<o:p=
></o:p></span></p>
<p class=3D"MsoNormal"><o:p> </o:p></p>
<div>
<p class=3D"MsoNormal"><span style=3D"font-size:10.5pt;font-family:"Ar=
ial","sans-serif";color:black">Dear all</span><span lang=3D"=
ZH-CN" style=3D"font-size:10.5pt;color:black">=1B$B!'=1B(B</span><span styl=
e=3D"font-size:10.5pt;font-family:"Arial","sans-serif";=
color:black"><o:p></o:p></span></p>
<div>
<p class=3D"MsoNormal"><span class=3D"apple-tab-span"><span style=3D"font-s=
ize:10.5pt;font-family:"Arial","sans-serif";color:black=
"> &=
nbsp;
</span></span><span style=3D"font-size:10.5pt;font-family:"Arial"=
,"sans-serif";color:black">I need to make a solution that include=
s Kerberos,AD and OpenAFS.<o:p></o:p></span></p>
</div>
<div>
<p class=3D"MsoNormal"><span class=3D"apple-tab-span"><span style=3D"font-s=
ize:10.5pt;font-family:"Arial","sans-serif";color:black=
"> &=
nbsp;
</span></span><span style=3D"font-size:10.5pt;font-family:"Arial"=
,"sans-serif";color:black">I installed the AD Domain Control on t=
he windows 2008r2,and I installed the Identity Management for UNIX role in =
the domain controller.I fond the 2008r2 had the KDC,so
I'd like to use the DC as the kerberos 5 server.I hope all the domain user=
can use the OpenAFS without authentication.<o:p></o:p></span></p>
</div>
<div>
<p class=3D"MsoNormal"><span class=3D"apple-tab-span"><span style=3D"font-s=
ize:10.5pt;font-family:"Arial","sans-serif";color:black=
"> &=
nbsp;
</span></span><span style=3D"font-size:10.5pt;font-family:"Arial"=
,"sans-serif";color:black">How to make the OpenAFS a service prin=
cipal?<o:p></o:p></span></p>
</div>
<div>
<p class=3D"MsoNormal"><span class=3D"apple-tab-span"><span style=3D"font-s=
ize:10.5pt;font-family:"Arial","sans-serif";color:black=
"> &=
nbsp;
</span></span><span style=3D"font-size:10.5pt;font-family:"Arial"=
,"sans-serif";color:black">Is it must to jion the OpenAFS server =
to the Domain?And how?<o:p></o:p></span></p>
</div>
<div>
<p class=3D"MsoNormal"><span class=3D"apple-tab-span"><span style=3D"font-s=
ize:10.5pt;font-family:"Arial","sans-serif";color:black=
"> &=
nbsp;
</span></span><span style=3D"font-size:10.5pt;font-family:"Arial"=
,"sans-serif";color:black">Is there any successful solution offer=
ed in the internet?<o:p></o:p></span></p>
</div>
<div>
<p class=3D"MsoNormal"><span class=3D"apple-tab-span"><span style=3D"font-s=
ize:10.5pt;font-family:"Arial","sans-serif";color:black=
"> &=
nbsp;
</span></span><span style=3D"font-size:10.5pt;font-family:"Arial"=
,"sans-serif";color:black"><o:p></o:p></span></p>
</div>
<div>
<p class=3D"MsoNormal"><span class=3D"apple-tab-span"><span style=3D"font-s=
ize:10.5pt;font-family:"Arial","sans-serif";color:black=
"> &=
nbsp;
</span></span><span style=3D"font-size:10.5pt;font-family:"Arial"=
,"sans-serif";color:black">I hope someone could give me some docu=
ments.<o:p></o:p></span></p>
</div>
<div>
<p class=3D"MsoNormal"><span class=3D"apple-tab-span"><span style=3D"font-s=
ize:10.5pt;font-family:"Arial","sans-serif";color:black=
"> &=
nbsp;
</span></span><span style=3D"font-size:10.5pt;font-family:"Arial"=
,"sans-serif";color:black">Thanks very much.<o:p></o:p></span></p=
>
</div>
<div>
<p class=3D"MsoNormal" style=3D"margin-bottom:12.0pt"><span class=3D"apple-=
tab-span"><span style=3D"font-size:10.5pt;font-family:"Arial",&qu=
ot;sans-serif";color:black"> =
&nb=
sp;
</span></span><span style=3D"font-size:10.5pt;font-family:"Arial"=
,"sans-serif";color:black"><br>
<br>
<br>
<o:p></o:p></span></p>
<div id=3D"divNeteaseMailCard">
<p class=3D"MsoNormal"><span style=3D"font-size:10.5pt;font-family:"Ar=
ial","sans-serif";color:black"><o:p> </o:p></span></p>
</div>
</div>
</div>
<p class=3D"MsoNormal" style=3D"margin-bottom:12.0pt"><o:p> </o:p></p>
</div>
</body>
</html>
--_000_1C42394BB89E4C43B9AD690C59B8A95F022DA2ORD2MBX03Fmex05ml_--