[OpenAFS] Heimdal, Openafs and Win2000

Enrico Pelletta enrico@it.kth.se
Thu, 05 Dec 2002 17:43:35 +0100


Hi!

I have gotten a similar problem with Heimdal 0.5.1 and openAFS 1.2.7.

No problems with linux, but the windows clients try to get the token 
afs@REALM instead of afs/cell@REALM and then fail.

I sent a mail about the problem to the OpenAFS info mailing list without 
getting any answer.

	Enrico.



Valentin v. Seggern wrote:
> Hi openafs- and heimdal-mailinglists,
> 
> I'm trying to set up a heterogeneous openafs/heimdal environment.
> 
> I have a heimdal-0.5.1 kdc alongside an openafs-1.2.6 afs-server 
> running on my linux server. 
> 
> Client Operating Systems include Linux and Windows 2000. Linux 
> Systems run openafs-1.2.6 Clients, On Windows I deploy 
> openafs-1.2.2b Clients. (Downloaded binaries from www.openafs.org)
> 
> Things work fine on Linux now, i.e. I can login (pam), get a kerberos V
> ticket (kpam.so) covert it to an afs token (kpam.so). Right now I do 
> have three accounts, a regular unix account, an entry in the kerberos
> db and one in afs's pts db...
> 
> On Windows things seem to be a little more "confusing". My kerberos/afs 
> testuser has a local windows - user account and when I login I'm granted 
> kerberos tickets from my heimdal-linux kdc. (To set up this, I used 
> ksetup the way it was described in heimdal's documentation). 
> 
> But I can not convert these tickets to afs tokens (no afslog for 
> windows?!) and when I try to use the windows-openafs included "Obtain
> New Afs Tokens"-tool, I get a "Error 8: The user doesn't exist". 
> 
> My heimdal kdc.log shows strange things such as:
> 
> 2002-11-27T11:17:58 AS-REQ vvs.@LABIX from IPv4:192.168.0.7 for 
> afs.@¨+@¨+@
> 2002-11-27T11:17:58 Server not found in database: afs.@¨+@¨+@: Failed to 
> convert v4 principal
> 
> My Cellname is labix, my realm LABIX but my testuser name is vvs (without
> a . at the end.). And this is the name I type into this "obtain-token" 
> window.
> 
> By the way, klist.exe (from microsoft) shows my v5 tickets.
> 
> Is there a way to use Windows 2000 as Openafs Client/w Kerberos? What's 
> the minimum number of User-dbs I have to sync and administer (read: 
> Can I setup one User-Database (maybe using openldap) to be used by Linux
> and Windows2000)? And how do I do that?
> 
> 
> Please feel free to send every little piece of information that you have 
> and think I could benefit me.
> 
> Thank you for your patience, good work and for sharing your knowledge,
> 
> Valentin v. Seggern
> 
>