[OpenAFS] what is the state of the art client setup for openafs + krb5 + windows

Mickey Lane mlane@sinenomine.net
Thu, 10 Apr 2014 19:03:46 +0000

Go to http://openafs.org/windows.html and follow the links for Heimdal.

Install the appropriate (32 vs 64-bit) version of Heimdal and Network Ident=
ity Manager v2 followed by the current OpenAFS release. Both of these are m=
si install files.

For my purposes, I need to add " allow_weak_crypto =3D true" to the [libdef=
aults] section of the krb5.conf file.

Configure identities in NIM.

My personal choice is to log into OpenAFS manually. Perhaps someone else ca=
n comment on integrated login.

-----Original Message-----
From: openafs-info-admin@openafs.org [mailto:openafs-info-admin@openafs.org=
] On Behalf Of Gergely Risko
Sent: Thursday, April 10, 2014 4:35 AM
To: openafs-info@openafs.org
Subject: [OpenAFS] what is the state of the art client setup for openafs + =
krb5 + windows


In my cell, I use Heimdal + OpenAFS fileserver on linux.

I only enabled krb5, the only keytype for my afs principal is aes256-cts-hm=
ac-sha1-96.  Everything works great on linux clients with the usual kinit f=
rom heimdal, they even get tokens automatically.  For MIT clients I have to=
 run an extra aklog, but that's OK.  MacOS works too out of the box.

My question is about Windows: what is the currently recommeneded practice o=
n windows clients for this kind of KRB5 only installations?  I managed to g=
et it working with some combination of MIT kerberos for windows and openafs=
 1.7, but it involves the user calling kinit and aklog in the command line.=
  This is ugly, because the user has to know, that the graphical password i=
nput window is useless and should be ignored.

So, what exact binaries do you guys download and use on Windows 7 to get gr=
aphical kerberos password prompt and openafs tokens?


OpenAFS-info mailing list