[OpenAFS] AFS Windows Network ID Manager Plugin Configuration

Jeffrey Altman jaltman@secure-endpoints.com
Wed, 23 Mar 2011 13:03:19 -0400


This is an OpenPGP/MIME signed message (RFC 2440 and 3156)
--------------enig77C60D4D417AFE9A400DD88D
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

On 3/23/2011 12:21 PM, John P Janosik wrote:
> The nidmdbg.log shows:
>=20
> 11:04:00.312 [98] Begin: Getting AFS tokens... (child of [96])
> 11:04:00.312 2948[98] Info:(AfsCred) AFS New Creds :: ident
> 0000000001BF3E30
> 11:04:00.312 2948[98] Info:(AfsCred) Getting tokens for cell
> <cell>.ibm.com with realm <REALM>.IBM.COM using method 2
> 11:04:00.312 2948[98] Debug(1): Trying Kerberos 5
> 11:04:00.375 2948[98] Debug(1): Trying Krb524
> 11:04:00.375 2948[98] Debug(1): Kerberos 4 not configured
> 11:04:00.375 2948[98] ERROR:(AfsCred) Credentials could not be obtained=

> for cell <cell>.ibm.com.

There is no Kerberos v4 support on this system.  Therefore, you cannot
use krb524 as a token format translation method.

End of life for Kerberos v4 was announced in 2003 by MIT.  Kerberos v4
was not implemented for any new platforms after that announcement.  My
guess is that you are using a 64-bit Windows operating system for which
there is no Kerberos v4 support.

If that is the case, you will have to avoid installing 64-bit versions
of Kerberos and NetIdMgr and instead exclusively use the 32-bit versions
in conjunction with the OpenAFS 32-bit tools package.  That is the only
method by which Kerberos v4 support can be obtained from existing
distributions.

Note that 3.2.2 is the last version of MIT Kerberos that will include
Kerberos v4 support at all.  The Heimdal Kerberos for Windows also will
have no Kerberos v4 support on any platform.

An alternative approach that IBM could pursue for this transition is to
implement a KAS identity provider for Network Identity Manager and use
that until such time as all of the AFS servers have been migrated from
IBM to OpenAFS.

Jeffrey Altman




--------------enig77C60D4D417AFE9A400DD88D
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)

iQEcBAEBAgAGBQJNiifaAAoJENxm1CNJffh4GZkH+QHMaYRWu38YbC3JgRE2ixkJ
5qOIvke2NXq/N0wqCHq4klBdn3GQ9GeWVMr+JuoqEXvshvZUjBuObQiWC7VI7r3O
xK74to9MsJ205Sp0DCmtKtBL6wZbF9QGBr8oQx5YMD2dXqZQS1us3SpPSmBLpqe3
bW/wZcgZSkkgm8mwRNlVylAQ1bN8iwrfaGcp2ZFnE+FG0LYxEYj0iu3hBLviyLHl
s33z4moY77V2W0KrD1GfgHMruE+pDRNyIsvD/Z+zxxICQ+x+ZB4QWr7doaAhLUxY
Z3fVIe9MI8ewz50Kxkkd6YrHvFRocaQg5dHz/Ux0eWL1lZris7QVzatBAwb1MDc=
=M82w
-----END PGP SIGNATURE-----

--------------enig77C60D4D417AFE9A400DD88D--