[OpenAFS] tokens via aklog on XP don't work. klog tokens do.

Dan Pritts danno@internet2.edu
Tue, 26 Aug 2003 12:11:40 -0400

hi all,  

I'm having trouble with afs on windows XP on IBM thinkpads.  I'm using
an XP image put together by my windows guy here.  My red hat, debian,
and solaris boxes all work fine, as does a win2k install on the laptop,
and a dell desktop XP instance.

I have tried openafs releases 1.2.9a and 1.2.10, with WAKE 2.5, and a
kerberos binary distribution from the wake site, dated 9/02.

I can "klog" to the umich.edu cell (which is using the old kaserver)
and write to my afs space there using those tokens.

I can kinit to my local K5 realm, and i get tickets.  aklog claims to
give me a token and "tokens" agrees.  

However, when i attempt to write to afs space in my local cell, i am told
"Access is denied." from the windows command line or similar errors with
other methods.

I tried Rodney Dyer's afsk5log program but i haven't gotten the
right combination of afs client, kerberos, and afsk5log working
together so that it works for me.

The XP system has the following hotfixes/SPs/options installed:

various IBM thinkpad stuff
advanced networking pack for windows XP  
.NET framkework 1.0.3705
.NET framkework 1.1
tweakUI powertoy
Many hotfixes (all via windows update)
XP Service Pack 1

There is plenty of other stuff installed too of course, but my 
best guess is that the rest is all user-level only.

I uninstalled the "advanced networking pack" with no effect.

Any thoughts on what to try to track this down appreciated.

----- Forwarded message from Dan Pritts <danno@internet2.edu> -----

Date: Fri, 11 Jul 2003 12:36:52 -0400
From: Dan Pritts <danno@internet2.edu>
To: openafs-info@openafs.org
Subject: windows XP problems, tips and tricks

hi all -

i'm having trouble with afs on windows xp.

a previous install worked fine.  

The symptom is that I can map drives and I can get tickets and tokens
via wake, but i am not given authenticated user access - can't write to
or browse protected directories.

details - 
  windows XP up to date including all service packs and hot fixes
   through today (7/11/03)
  ipv6 disabled
  firewall disabled
  windows username same as afs username 
  computer name "Ghost" (less than 14 chars, no special chars)
  openafs 1.2.9a
  wake 2.5 with kerberos5 downloaded from wake site 7/9/03

one thing i was wondering about was the DNS name of the windows machine -
it is a dynamic DHCP client and we don't have dynamic dns updates happening.
However, a win2k machine that works is in the same situation.

While I am at it, i know there are various "gotchas" with the windows
afs client (eg, the host name less than 14 chars), but I do not know 
what they all are.  Can someone elucidate me?  I'll add a windows
client section to the FAQ in the wiki.
Finally, i haven't had time to troubleshoot this very far, but it seems
like when getting addressless kerberos tickets on windows, i cannot
then get a working token (i do not remembber whether i get a token at
all).  In general, i don't care about using addressless tickets, but
i thought it would be necessary to get them when behind NAT.

Is there a windows-specific afs mailing list i am not aware of?

thanks in advance

dan pritts                                       danno@internet2.edu
systems administrator                            734/352-4953 office
internet2                                        734/834-7224 mobile

----- End forwarded message -----

dan pritts                                       danno@internet2.edu
systems administrator                            734/352-4953 office
internet2                                        734/834-7224 mobile