Lars Schimmer <[EMAIL PROTECTED]> wrote: > Christopher D. Clausen wrote: >> Lars Schimmer <[EMAIL PROTECTED]> wrote: >>> Christopher D. Clausen wrote: >>>> So you have an Active Directory domain that the Windows machines >>>> are on? >>> >>> Yes, there is a AD domain in which the PCs are. >>> >>>> And a seperate Kerberos Realm for the Linux machines? >>> >>> The REALM is the same as the AD domain (both are CGV.TUGRAZ.AT ir in >>> lower case cgv.tugraz.at) >> >> Okay, this sounds bad. You'll likely need to rename either the >> domain or the realm. (I believe there is a Windows tool to rename a >> domain.) > > OK, we are just 20 people here using our REALM and no entry in DNS > server, I think it is easier to rename the REALM instead of the AD > domain. We got a /25 subnet and a DNS entry cgv.tugraz.at (yes, > academic). > Within this I wanted to setup OpenAFS (I think it should name after > the dns entry cgv.tugraz.at), krb5 auth (I thought CGV.TUGRAZ.AT is > best and the only usable one), linux clients (no probs so far) and a > AD domain with a own AD domain server. And I think for > DNS/network/... purpose it is far easier to name the AD domain after > the DNS entry cgv.tugraz.at, e.g. names of clients, IPs via dhcp,...). > I thought the only possible useable REALM was CGV.TUGRAZ.AT and I set > it up that way and was happy as it worked for the most needed parts > (login into AD domain [with own AD password], getting ticket from > krb5 server for CGV.TUGRAZ.AT REALM and getting token automatic).
If your eventual goal is to setup OpenAFS, I'd suggest ONLY using the AD domain if your Kerberos realm only has a few users now anyway. You can do just about anything in AD that could do with MIT Kerberos, although the management from the non-Windows side of things is a little annoying, but it is possible. Having everything in one Kerberos realm simplifies single-sign-on and cross-platform issues. >> You cannot have this work just b/c the realms are the same. There >> needs to be a trust setup between the realms, or you need to have >> ALL your non-Windows machines also use the Windows domain as a KDC >> instead of the MIT one. > > Some time ago it was easier to setup the MIT krb5 server instead of > using AD krb5 auth together with OpenAFS. > > And I thought using MIT krb5 software on Windows with a active ticket > for the correct REALM is the needed part for loging in with putty via > ticket forwarding. It is early as easy to have an AFS cell use an AD domain as using MIT or Heimdal. Just generate a keytab for the afs/cell service principal and use asetkey to add it to the KeyFile. <<CDC ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
