Login on existing network

[Sensei]

Hi.

I've built an afs cell, a kerberos kdc, an openldap server, all
kerberized. Now all linux clients can login on the cell using k5
authentication, finding informations about their home dirs with ldap.
Their home reside on the afs cell, which allows r/w access since it
releases a token from the k5 ticket. All macosx clients can login as
well... but what about windows?

I'd like to avoid creating windows users on every windows client...
since we have more than 700 users... and I know I can set up an AD
server, creating users on kerberos/afs/ldap AND the same users on AD...

So I have 2 possible solutions:

1. Make windows see mit kdc, get informations from openldap, map the
home directory on the afs cell, retreiving k5 ticket and afs tokens.

2. Make an AD server and let it interact with mit k5 and afs.

In the second case, it's mandatory to get tickets and tokens, and the
home dirs mapping as well. Moreover, I'd like to create remotely users
and mappings.

I need some hints, please...

 

[Herb Martin]

Have you search Google for the whitepapers at Microsoft?

Something like:

[ Kerberos mit "version 5" | v5 site:microsoft.com ]

 

[Sensei]

Have you search Google for the whitepapers at Microsoft?

Something like:

[ Kerberos mit "version 5" | v5 site:microsoft.com ]

Yes, and it's not exhaustive: home directories mapping is not part of
any document I read. I know how to make authentication against mit (a
simple x-trust-realm), but I need also home directories remapping.

 

[Herb Martin]

Yes, and it's not exhaustive: home directories mapping is not part of

any document I read. I know how to make authentication against mit (a
simple x-trust-realm), but I need also home directories remapping.

Home directory mapping is of course part of the
AD client logon, so whose directories do you
wish to map?

You might have to revert to the (old way of doing this by)
using script files -- perhaps from a known location with
environment variables basing it on user name etc.

--
Herb Martin

Have you search Google for the whitepapers at Microsoft?

Something like:

[ Kerberos mit "version 5" | v5 site:microsoft.com ]

--
Sensei <mailto:[email protected]>
<icqnum:241572242>
<msn-id:[email protected]>
A)bort, R)etry, I)nfluence with large hammer.

 

[Sensei]

Home directory mapping is of course part of the
AD client logon, so whose directories do you
wish to map?

The students' directories. They will have to log in, acquire tickets and
tokens along with mounting the right directory as their home.

You might have to revert to the (old way of doing this by)
using script files -- perhaps from a known location with
environment variables basing it on user name etc.

I haven't found anything regarding AFS and kerberos on AD. I hope I can
do all administrative tasks remotely, via a simple script.

Anyone has some links?

 

[Herb Martin]

The students' directories. They will have to log in, acquire tickets and
tokens along with mounting the right directory as their home.

By "whose" I meant clients of which OS and on servers of
which OS.

I haven't found anything regarding AFS and kerberos on AD. I hope I can
do all administrative tasks remotely, via a simple script.

AFS doesn't surprise me.

 

[Sensei]

By "whose" I meant clients of which OS and on servers of
which OS.

As I said in the first post, linux and macosx cliens along with windows
ones. The first two are not a problem, since I'm using only standard
protocols. AIX, Irix and BSD clients are present, but we know how to
handle them.

Windows clients are also needed, and so I'm asking what would you do.

AFS doesn't surprise me.

I don't understand.