Frank Burkhardt wrote: > Hi, > > we're currently setting up some Metaframe servers (Windows-Terminal servers) > which should be able to access AFS. > > Problem is the authentication against (MIT) Kerberos. Users have to enter > their passwort twice (Windows-Login, Kerberos-Login). Is there any chance to > use the Windows-Login-Password to get AFS tokens without using > MS-Kerberos and AD? > > Is anyone actually doing this? > > Thank you for any hints, > > Frank
There are a variety of ways to do this.
(1) synchronize the passwords between your two realms so that OAFW's
integrated login can authenticate against the MIT realm with the
password used to login to AD
(2) use cross-realm trusts and AD account mappings to allow the users to
login to the terminal server using the MIT Kerberos principal and
password
(3) use cross-realm trusts to allow the AD principals to be able to
obtain afs/[EMAIL PROTECTED] tickets from the MIT realm. Then configure
AFS to accept the DOMAIN as a local realm name. (This requires
that you be careful to ensure that administrator account names
can not be issued in the DOMAIN to non-administrative users.)
(4) you can create an account in the domain and associate with it the
service principal name afs/[EMAIL PROTECTED] Mark the account as
DES-only and ensure that the kvno is different than any of the
kvno's issued in the MIT realm for afs/[EMAIL PROTECTED] principals.
Export the key from AD and import it into the AFS keyfile.
Then configure AFS to accept the DOMAIN as a local realm name.
(Same caveats about controlling the account name space applies as
in 3.)
In the 1.5.1 release there is better support for multiple local Kerberos
realms than in earlier releases. More than one local Kerberos realm
can be specified in the afs krb.conf file.
Jeffrey Altman
smime.p7s
Description: S/MIME Cryptographic Signature
