[OpenAFS] OpenAFS + Kerberos V (krb5) + Linux ok, Win2k bad

Noel Burton-Krahn noel@burton-krahn.com
Wed, 20 Mar 2002 14:04:31 -0800 

 First, the good news: I have got OpenAFS working with Kerberos V on my
RedHat box.  Pam works too, so all my linux clients automagically get krb5
and afs tokens on login. Wonderful.  I'll include a description of how I did
it after the bas news.

The bad news: I can't get the OpenAFS Windows 2000 client to authenticate.
1. If I disable kerberos and use pure AFS, the Win2k client works perfectly
2. If I enable kerberos, I CAN obtain tokens when I run the Win2kAFS
"Account Manager" and "Server Manager" applications.
3. BUT, with kerberos enabled, I get an error when I try to obtain tokens
with the "Client Authentication" application: "Error: 8 (user doesn't
exist)"
4. That error goes away if I turn krb5 off.

So, why does the Win2k "Account Manager" work while the "Client
Authentication" doesn't?

--Noel

---------------------------------------------------
Here's how I got this far.

RedHat-7.2
Linux-2.4.18
MIT Kerberos V (krb5-server-1.2.2-13)
OpenAFS (openafs-1.2.3-rh7.2.2)
OpenAFS 1.2.2b Release (AFSforWindowsNT.exe MD5:
467ae399f5c18a1482681c609c689ff3)


First, I followed the QuickStart UNIX
(http://www.openafs.org/pages/doc/QuickStartUnix/auqbg002.htm) to get AFS
set up and running.  /afs was mounted properly, and everything works.

Next, I used asetkey to link afs to krb5.  The most crucial part of this was
"kadmin.local -e des-cbc-crc:v4"

asetkey list        # make sure highest keynum is 1
kadmin.local -e des-cbc-crc:v4    # the -e is crucial
  addprinc afs/burton-krahn.com@BURTON-KRAHN.COM
  modprinc -kvno 1 afs/burton-krahn.com@BURTON-KRAHN.COM
  ktadd -k /etc/krb5.keytab afs/burton-krahn.com@BURTON-KRAHN.COM
  quit
asetkey add 2 /etc/krb5.keytab afs/burton-krahn.com


# test it out
kinit noel
aklog
klist
tokens
# ok!

# get the authconfig script to inject pam_krb5afs.so
authconfig

# references
#
http://www.cs.cmu.edu/afs/andrew.cmu.edu/usr/shadow/www/afs/afs-with-kerbero
s.html
#
http://www.mathematik.uni-karlsruhe.de/~iwrmm/Persons/Schulz/Unix/afs/afs-kr
b5.html
# http://archive.ncsa.uiuc.edu/General/CC/kerberos/afs_krb5_migration.html

That's it!  I shut down bos, started krb5server, and restarted bos.  next
time I logged in, I got the right krb5 and afs tokens!


# rpm -qa | grep krb
krb5-devel-1.2.2-13
krbafs-utils-1.0.9-2
openafs-krb5-1.2.3-rh7.2.2
krb5-libs-1.2.2-13
pam_krb5-1.46-1
krbafs-devel-1.0.9-2
krb5-workstation-1.2.2-13
krbafs-1.0.9-2
krb5-server-1.2.2-13

# rpm -qa | grep openafs
openafs-client-1.2.3-rh7.2.2
openafs-krb5-1.2.3-rh7.2.2
openafs-1.2.3-rh7.2.2
openafs-kernel-1.2.3-rh7.2.2
openafs-compat-1.2.3-rh7.2.2
openafs-kpasswd-1.2.3-rh7.2.2
openafs-server-1.2.3-rh7.2.2
openafs-devel-1.2.3-rh7.2.2
openafs-kernel-source-1.2.3-rh7.2.2