[OpenAFS] AFS on Win9x: kerberos configuration?
Peter Bloecher (EED)
Peter.Bloecher@eed.ericsson.se
Thu, 23 May 2002 15:45:17 +0200
Derek Atkins wrote:
>
> Assuming you are using the standard Windows AFS applications,
I am using OpenAFS 1.2.2b for Win9x.
> it only has support to KAServer. The KAServer assumes that the
> Kerberos Realm == AFS Cell Name. Note that this has nothing
> to do with the local host's DNS Domain.
>
> The KAServer is determined by the cell name, which is configured
> by "ThisCell".
I'm not sure I understand exactly what KAserver means. Actually I am
not too familiar with the details of how AFS works (sorry...).
What is the name of the KAserver? Is there an implicit assumption that
it must be called kerberos.<cell name>? Or does the AFS client try all hosts
in CellServDB?
In our case, we have the following situation:
ThisCell = cell1.domain.cc
Auth servers for this cell: somehost1.domain.cc and somehost2.domain.cc
(they are included in CellServDB)
another cell: domain.cc (note same domain/cc as above, i.e. "parent" domain)
Auth servers for the other cell: kerberos.domain.cc, kerberos-1.domain.cc,
kerberos-2.domain.cc
>
> Note that these tools do NOT support the "afs/<cell>@<REALM>"
> convention where cell != REALM. If you have multiple AFS Cells
> sharing the same Kerberos realm (such as a number of MIT AFS Cells:
> afs/sipb.mit.edu@ATHENA.MIT.EDU) then you cannot use the distributed
> KAServer tools.
No, I think that is not the case here (see above). Two cells, two Kerberos
realms, no <cell>@<realm>.
Is it possible to make the windows tools produce information on what servers
they talk to? The error message I get is not very helpful...
/Peter
>
> -derek
>
> "Peter Bloecher (EED)" <Peter.Bloecher@eed.ericsson.se> writes:
>
> > Hello,
> >
> > as a followup to my problem posted yesterday (user doesn't exist):
> > Having played around with the auxiliary programs a little bit it seems
> > to me that the problem is caused by kerberos problems.
> >
> > My guess is that kerberos derives the authentification server name from
> > the domain name, which is a problem since the cell I want to connect
> > to has a name DIFFERENT from the domain name AND there is in fact a cell
> > which has the same name as the domain name.
> >
> > In other words: I think that the client talks to the wrong authentification
> > server, and thus does not find my username (since I have no account on that
> > server).
> >
> > Is there any way to configure the authentification server on Win9x?
> > On Unix, there are /etc/krb.realms and /etc/krb.conf . Is there anything
> > equivalent?
> >
> > Any help greatly appreciated...
> >
> > /Peter
> >
> > "Peter Bloecher (EED)" wrote:
> > >
> > > Hello,
> > >
> > > I am trying to run the OpenAFS client (1.2.2b) for Win9x on a Win98 box.
> > > Trying to authenticate fails; the message is
> > >
> > > "Unable to authenticate to AFS because: 'User doesn't exist'"
> > >
> > > Please find enclosed the relevant sections of afscli.log and afsd_init.log.
> > > Needless to say: accessing AFS from my SUN workstation does work
> > > using the same user name(s)/password(s) & the same ThisCell / CellServDB.
> > >
> > > Any help is highly welcome.
> > >
> > > Best regards,
> > > /Peter
> > >
> > > PS: please CC me on the mail
> > >
> > > --
> >
> > --
> >
> > Peter Bloecher, Ericsson Research
> > Speech & Signal Processing
> > Ericsson Eurolab Deutschland GmbH Tel: +49 911 255 1307
> > Neumeyerstr. 50 Fax: +49 911 255 1961
> > D-90411 Nuernberg mailto:Peter.Bloecher@eed.ericsson.se
> > _______________________________________________
> > OpenAFS-info mailing list
> > OpenAFS-info@openafs.org
> > https://lists.openafs.org/mailman/listinfo/openafs-info
>
> --
> Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory
> Member, MIT Student Information Processing Board (SIPB)
> URL: http://web.mit.edu/warlord/ PP-ASEL-IA N1NWH
> warlord@MIT.EDU PGP key available
--
Peter Bloecher, Ericsson Research
Speech & Signal Processing
Ericsson Eurolab Deutschland GmbH Tel: +49 911 255 1307
Neumeyerstr. 50 Fax: +49 911 255 1961
D-90411 Nuernberg mailto:Peter.Bloecher@eed.ericsson.se