[OpenAFS] Client looks for a machine-afs kerberos host key

Douglas E. Engert deengert@anl.gov
Fri, 08 Aug 2003 13:32:37 -0500 

Jerome Walter wrote:
> 
> On Thu, Aug 07, 2003 at 11:34:29AM -0500, Douglas E. Engert wrote:
> >
> >
> > Jerome Walter wrote:
> > >
> > > Hi,
> > >
> > > I just started again trying to get my afs clients to work under windows with a
> > > MIT Kerberos KDC.
> >
> > You are using K4 protocal, I assume, as you said you are using afscreds.exe
> 
> Yes, i had to open K4 to get this to work. By the way, i would like to disable
> K4, but never found the way to do it.
> 
> For the moment, the K5 authentication on the Windows 2k is done by the
> Microsoft process and no MIT libraries are installed. If i get a way to
> install MIT (assuming i am out of the US) and keep the trusted authentication
> process, i would be the happiest guy on earth.
> 
> Is there so a way to get my openafs client to use K5 only tickets ? What is
> the config ? i must have missed a thing, because my AFS-K5 config works
> perfectly well on Linux, but Windows and Solaris are quite annoying me.
> 

So you have setup the afs principal in some K5 realm, and added the 
key to the /usr/afs/KeyFile already? 

I sent a note to openafs earlier this week on using MSKLOG, which is a klog
that use the builtin Microsoft SSPI and LSA to get a K5 ticket and use it
for a AFS token. This might be what you are looking for. See: 

ftp://achilles.ctd.anl.gov/pub/DEE/README.MSKLOG
ftp://achilles.ctd.anl.gov/pub/DEE/msklog-0.0.tar 


> > > This time, it is a few better, but nothing wonderful. First of all, i only get
> > > access to my AFS files if i am not authenticated. When authenticating, i
> > > manage to get the credentials with afscreds.exe. But when i get these
> > > credentials, the share does not work anymore :
> > >  - first i kepp the access to files in cache, but it breaks quickly.
> > >  - when trying to get access to any file not in cache, i get an error telling
> > >    that afs server does not respond or is in process of being started.
> > >
> > >    Do you know from where can come this problem of credentials ?
> >
> > Sounds like the token you have obtained is encrypted in a key that is not
> > in the AFS KeyFile, or the keys don't match.
> 
> That's an idea. If only i knew where to file the info on the key used...
> 
> > I was running into similiar behavior when testing the msklog program.
> >
> > There is a way to use rxdebug to see the error number on a connection.
> > I just don't recall.
>
> Too bad...

This was a hint to you to try rxdebug -help and figure it out.

> 
> [snip]
> 
> Jerome Walter
> 
> --
> -+--   Jérôme Walter -  I2 EFREI                          ----+-
>  Equipe Système - Efrei Robotique - Jap'Efrei - Erasmus Tutors
>  "The World is my country" - "Nihon no tomodachi desu"
> EFREI System and Networking guide http://perso.efrei.fr/~walter/
> _______________________________________________
> OpenAFS-info mailing list
> OpenAFS-info@openafs.org
> https://lists.openafs.org/mailman/listinfo/openafs-info

-- 

 Douglas E. Engert  <DEEngert@anl.gov>
 Argonne National Laboratory
 9700 South Cass Avenue
 Argonne, Illinois  60439 
 (630) 252-5444