[OpenAFS] Authenticating against krb5-only KDC (active directory)

Bill Richardson richarwk@rose-hulman.edu
Fri, 15 Mar 2002 11:50:24 -0500

> Hmm but how do I get access to the krb5-token stashed by windows at

> Is this possible without having to run the old win32 kerberos5 kit,
so users
> have to type in their password twice, once for logging on to
windows, and once
> for doing kinit+aklog?

>You run ms2mit. That copies the des-cbc-crc ticket from lsa stash to
>ccache. Sometime someone should make a LSA-direct version of aklog,
> or integrate ms2mit into aklog, but I doubt that will happen any 
> time soon. 

> If you put ms2mit, and aklog in your startup items, that should take
> care of everything for you on windows. (Might need to rename to make
> sure ms2mit runs first or use a script of some sort).

I apologize if the formatting is wrong on this, or if I sent it to the
wrong place, as I've never done this before.

We're implementing exactly the above procedure at Rose-Hulman
Institute of Technology, and were having some difficulty getting it to
work.  However, I was able to combine aklog and ms2mit in one Windows
exe, and it works under Windows 2000 (including with Service Pack 2,
which sometimes caused problems with aklog) and Windows XP.  It's
still in its early stages and needs some work, but I just thought I'd
let everyone know that such a package does indeed exist (as of today).