[OpenAFS] Win2k AFS access problem using krb5

Dave Bailey D.Bailey@bristol.ac.uk
Mon, 25 Mar 2002 17:43:40 -0000


Hi all,

I've been playing around with OpenAFS using Win2k as the krb5 kdc. Here's
the status so far:

Built win2k test domain (1 machine) and installed openafs 1.1.1 on it
(client+server) as that is the most recent release that the server works
on... All works fine.

Next, built mit krb5 1.2.4, got krb524.dll built and a test version of
krb524d wroking on win2k. Also have a working win2k version of aklog and
asetkey from the krb5 migration kit.

Created an afs principal account in Active directory (called afs).

Checked the kvno on the server with "astekey list"

Created a service account mapping for the afs AD account to
"afs/mytestcell.local@MYTESTCELL.LOCAL" and exported it to a keytab, making
sure the kvno was one higher that the higest value listed by asetkey, using
the MS ktpass utility.

Installed the keytab as the default keytab for krb524d and also added it to
the server keyfile with
"asetkey 1 afs.keyfile afs/mytestcell.local@MYTESTCELL.LOCAL"

Restarted everything. All OK.

I can use kinit (from MIT) or ms2mit followed by aklog and get tickets that
show up fine from "tokens". The trouble is that there seems to be some
weirdness actually accessing the afs filespace with these tokens in the
cache. fs listacl on the root.cell volume returns with error code 0x19 and
subsequent attempts result in "Connection timed out" errors. I'm guessing
that these credentials are doing something bad inside the win2k AFS client
as I've seen some event logs with Access Violation errors, but I'm not sure
where to start looking.

Any suggestions?

Cheers,
	Dave
                                              __  _
David Bailey                              .-.'  `; `-._  __  _
Bristol University                       (_,         .-:'  `; `-._
Email: D.Bailey@Bristol.ac.uk          ,'o"(        (_,           )
Tel:   +44 117 9546879                (__,-'      ,'o"(            )>
Fax:   +44 117 9255624                   (       (__,-'            )
                                          `-'._.--._(             )
                                             |||  |||`-'._.--._.-'
                                                        |||  |||