Kerberos

Enabling SSO with Active Directory

Below are the basic steps needed for SSO with Active Directory.

Using ktpass on Windows

First you must generate a Kerberos service principal for the Netatalk AFP server in AD. This is done with the CLI tool “ktpass” on Windows. The basic syntax is:

ktpass -princ afpserver/fqdn@REALM -mapuser mapuser@domain +rndPass -out afpserver.keytab

fqdn: fqdn of your Netatalk server
REALM: Kerberos realm name of AD domain
mapuser@domain: name of new user who’s password is set to never expire

Full example:

ktpass -princ afpserver/[email protected] -mapuser [email protected] +rndPass -out afpserver.keytab

Configure Netatalk

Copy the keytab to your Netatalk server and set the afp.conf ‘k5 keytab’ option to the path where you stored it.
Enable the GSS UAM (add uams_gss.so to ‘uam list’ in afp.conf – must be compiled of course)

Example:

[Global]
...
k5 keytab = /etc/krb5/afp.keytab
uam list = uams_dhx2.so uams_guest.so uams_gss.so

This is a mirror of the Netatalk GitHub Wiki. Please visit the original page if you want to correct an error or contribute new contents.

Last updated 2024-12-09

netatalk.io

search netatalk.io

Table of contents

Kerberos

Enabling SSO with Active Directory

Using ktpass on Windows

Configure Netatalk