[OpenAFS] aklog/wake on Windows 2003 Terminal Server ?

Christopher D. Clausen cclausen@acm.org
Wed, 10 Dec 2003 08:30:21 -0600 

I have Windows 2003 machines setup with a trust to a MIT Kerberos Realm
for single sign-on and users succesfully receive tickets and then tokens
by a logon script that simply runs Doug Engert's gssklog (although it
required some modifications to the Kerberos libraries on the server that
runs gssklogd).

I made no modifications to the trusted MIT realm for AFS, as I had no
permission to do so.  I do have gssklog service principals added to the
Windows domain so that gssklog works correctly.

In theory, you should be able to do the same thing using ms2mit and then
aklog, although I have not fully tested it.  Or do you have an aklog
that reads the Microsoft credentials cache?

On 2003 server, you probably want to copy /y C:\windows\afs*
%userprofile%\windows in a logon script to ensure that each user has a
copy of the AFS config files.  (I wish this was moved to the registry.)
Windows 2003 maintains a seperate "Windows" directory per-user to enable
per-user settings on programs that write config files to C:\windows.
There are issues with AFS because the service runs as SYSTEM and
afscreds runs as a user.  They look in different places.  Hopefully, you
installed AFS from "install mode" (run change user /install from a cmd
prompt).

<<CDC
Christopher D, Clausen
ACM@UIUC SysAdmin

Jeffrey Altman <jaltman@columbia.edu> wrote:
> If you are logging into Windows via a MIT KDC then Windows is going to
> look to the KDC for service principals to authenticate to local SMB
> services.  Look in the KDC log for unknown service principal errors.
> You are going to need to install additional service principals in the
> KDC to support the proper operation of Windows.
>
> Jeffrey Altman
>
>
> Holger Brückner wrote:
>
>> some more information:
>>
>> the openafs client doesn't work correctly when i use the mit kdc for
>> password authentication (this windows server has a trust on a mit kdc
>> for single sign on).
>> symptom: i don't see any volume/file server preferences in the
>> advanced configuration tab.
>>
>> it works correctly when i'm authenticate against the windows domain
>> (same user).
>>
>> any further suggestions ?
>>
>> terminal server is running windows 2003 server standard with all
>> available hotfixes.
>>
>> thanks a lot
>>
>> Holger Brueckner
>> net-labs Systemhaus GmbH