...
Kerberos is also required on Linux and must be configured with a krb5.conf file. The exact format of your Kerberos configuration file may vary depending on if you are using MIT Kerberos or Heimdal Kerberos. Regardless, the following must be defined in your file:
Code Block |
---|
[libdefaults]
allow_weak_crypto = true
ticket_lifetime = 30d
renew_lifetime = 30d
forwardable = true
renewable = true
[realms]
CIT.CORNELL.EDU = {
kdc = kerberos.cit.cornell.edu:88
kdc = kerberos2.cit.cornell.edu:88
admin_server = kerberos.cit.cornell.edu:749
default_domain = cit.cornell.edu
}
CNF.CORNELL.EDU = {
kdc = hole.cnf.cornell.edu:88
kdc = smoke.cnf.cornell.edu:88
kdc = mist.cnf.cornell.edu:88
admin_server = hole.cnf.cornell.edu:749
default_domain = cnf.cornell.edu
}
CORNELL.EDU = {
kdc = ad2.cornell.edu
kdc = ad1.cornell.edu
default_domain = cornell.edu
}
GUEST.CORNELL.EDU = {
kdc = obsidian1.cit.cornell.edu:88
kdc = obsidian2.cit.cornell.edu:88
admin_server = obsidian1.cit.cornell.edu
default_domain = guest.cornell.edu
}
[domain_realm]
.cit.cornell.edu = CIT.CORNELL.EDU
cit.cornell.edu = CIT.CORNELL.EDU
.mail.cornell.edu = CIT.CORNELL.EDU
mail.cornell.edu = CIT.CORNELL.EDU
.cnf.cornell.edu = CNF.CORNELL.EDU
cnf.cornell.edu = CNF.CORNELL.EDU
|
Windows
- d/l MIT Kerberos for Windows (32 or 64-bit, depending on your windows os install) 4.0.1 from http://web.mit.edu/kerberos/dist/index.html
- Do a Typical install
- d/l 1.6.x MSI client installer (for Managed installations) from http://www.openafs.org/windows.html -- do NOT use 1.7.x unless on a laptop
- If installing on 64-bit Windows, you will also need the 32-bit tools package. Install this doing a "Typical" install.
- Set your computer not to go to sleep unless installing 1.7.x
- run the openafs installer
- Select a Custom install
- Accept the defaults for which components to install
- If installing 1.7.x, you will need to install the "Authentication" component -- not enabled by default in 1.7.x.
- Change the cell name from openafs.org to cnf.cornell.edu
- Accept defaults on the rest of the screens
- Don't yet reboot (when prompted by the installer)
- Run the attached .reg files to set OpenAFS registry settings
- Copy the attached krb5.ini to c:\ProgramData\MIT\Kerberos (on XP, instead use C:\Documents and Settings\All Users\Application Data) overwriting the krb5.ini file that may be already there
- NOTE: If your organization also uses Kerberos, you will instead want to merge in the CNF krb5.ini with your organization's krb5.ini .
- Your local tech support or CNF Computing support can help you with this.
- Firewall Configuration - Under Windows XP and newer, we recommend that you just use the built-in Windows firewall. For other firewalls:
- SYMANTEC - If the Symantec Client Firewall is installed, you will need to add a rule allowing all traffic to/from 10.254.254.253
- If, during the Symantec configuration process, you get a popup window about a script error, you have two choices:
- Reinstall Symantec - this MAY fix the problem
- Disable the Symantec firewall and enable the Windows firewall - consult CNF IT staff for help on doing this
- If you would prefer to continue using the Symantec Client firewall, follow the below to allow AFS to work:
- If, during the Symantec configuration process, you get a popup window about a script error, you have two choices:
- SYMANTEC - If the Symantec Client Firewall is installed, you will need to add a rule allowing all traffic to/from 10.254.254.253
...