From Netatalk Wiki
Revision as of 06:14, 7 February 2014 by Franklahm
Enabling SSO with Active Directory
Below are the basic steps needed for SSO with Active Directory.
Using ktpass on Windows
First you must generate a Kerberos service principal for the Netatalk AFP server in AD. This is done with the CLI tool "ktpass" on Windows. The basic syntax is:
ktpass -princ afpserver/fqdn@REALM -mapuser mapuser@domain +rndPass -out afpserver.keytab
- fqdn: fqdn of your Netatalk server
- REALM: Kerberos realm name of AD domain
- mapuser@domain: name of new user who's password is set to never expire
ktpass -princ afpserver/oi.ad.netafp.com@AD.NETAFP.COM -mapuser email@example.com +rndPass -out afpserver.keytab
- Copy the keytab to your Netatalk server and set the afp.conf 'k5 keytab' option to the path where you stored it.
- Enable the GSS UAM (add uams_gss.so to 'uam list' in afp.conf -- must be compiled of course)
[Global] ... k5 keytab = /etc/krb5/afp.keytab uam list = uams_dhx2.so uams_guest.so uams_gss.so