[OpenAFS] AFS on Win9x: kerberos configuration?

Peter Bloecher (EED) Peter.Bloecher@eed.ericsson.se
Thu, 23 May 2002 15:45:17 +0200


Derek Atkins wrote:
> 
> Assuming you are using the standard Windows AFS applications,

I am using OpenAFS 1.2.2b for Win9x.

> it only has support to KAServer.  The KAServer assumes that the
> Kerberos Realm == AFS Cell Name.  Note that this has nothing
> to do with the local host's DNS Domain.
> 
> The KAServer is determined by the cell name, which is configured
> by "ThisCell".

I'm not sure I understand exactly what KAserver means. Actually I am
not too familiar with the details of how AFS works (sorry...).

What is the name of the KAserver? Is there an implicit assumption that
it must be called kerberos.<cell name>? Or does the AFS client try all hosts
in CellServDB?

In our case, we have the following situation:

  ThisCell = cell1.domain.cc
  Auth servers for this cell: somehost1.domain.cc and somehost2.domain.cc
  (they are included in CellServDB)

  another cell: domain.cc (note same domain/cc as above, i.e. "parent" domain)
  Auth servers for the other cell: kerberos.domain.cc, kerberos-1.domain.cc,
                                   kerberos-2.domain.cc

> 
> Note that these tools do NOT support the "afs/<cell>@<REALM>"
> convention where cell != REALM.  If you have multiple AFS Cells
> sharing the same Kerberos realm (such as a number of MIT AFS Cells:
> afs/sipb.mit.edu@ATHENA.MIT.EDU) then you cannot use the distributed
> KAServer tools.

No, I think that is not the case here (see above). Two cells, two Kerberos
realms, no <cell>@<realm>.

Is it possible to make the windows tools produce information on what servers
they talk to? The error message I get is not very helpful...

/Peter

> 
> -derek
> 
> "Peter Bloecher (EED)" <Peter.Bloecher@eed.ericsson.se> writes:
> 
> > Hello,
> >
> > as a followup to my problem posted yesterday (user doesn't exist):
> > Having played around with the auxiliary programs a little bit it seems
> > to me that the problem is caused by kerberos problems.
> >
> > My guess is that kerberos derives the authentification server name from
> > the domain name, which is a problem since the cell I want to connect
> > to has a name DIFFERENT from the domain name AND there is in fact a cell
> > which has the same name as the domain name.
> >
> > In other words: I think that the client talks to the wrong authentification
> > server, and thus does not find my username (since I have no account on that
> > server).
> >
> > Is there any way to configure the authentification server on Win9x?
> > On Unix, there are  /etc/krb.realms and /etc/krb.conf . Is there anything
> > equivalent?
> >
> > Any help greatly appreciated...
> >
> > /Peter
> >
> > "Peter Bloecher (EED)" wrote:
> > >
> > > Hello,
> > >
> > > I am trying to run the OpenAFS client (1.2.2b) for Win9x on a Win98 box.
> > > Trying to authenticate fails; the message is
> > >
> > >   "Unable to authenticate to AFS because: 'User doesn't exist'"
> > >
> > > Please find enclosed the relevant sections of afscli.log and afsd_init.log.
> > > Needless to say: accessing AFS from my SUN workstation does work
> > > using the same user name(s)/password(s) & the same ThisCell / CellServDB.
> > >
> > > Any help is highly welcome.
> > >
> > > Best regards,
> > > /Peter
> > >
> > > PS: please CC me on the mail
> > >
> > > --
> >
> > --
> >
> > Peter Bloecher, Ericsson Research
> > Speech & Signal Processing
> > Ericsson Eurolab Deutschland GmbH  Tel: +49 911 255 1307
> > Neumeyerstr. 50                    Fax: +49 911 255 1961
> > D-90411 Nuernberg                  mailto:Peter.Bloecher@eed.ericsson.se
> > _______________________________________________
> > OpenAFS-info mailing list
> > OpenAFS-info@openafs.org
> > https://lists.openafs.org/mailman/listinfo/openafs-info
> 
> --
>        Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory
>        Member, MIT Student Information Processing Board  (SIPB)
>        URL: http://web.mit.edu/warlord/    PP-ASEL-IA     N1NWH
>        warlord@MIT.EDU                        PGP key available

-- 

Peter Bloecher, Ericsson Research
Speech & Signal Processing
Ericsson Eurolab Deutschland GmbH  Tel: +49 911 255 1307
Neumeyerstr. 50                    Fax: +49 911 255 1961
D-90411 Nuernberg                  mailto:Peter.Bloecher@eed.ericsson.se