[OpenAFS] aklog/wake on Windows 2003 Terminal Server ?

Holger Brückner lists@net-labs.de
10 Dec 2003 15:51:36 +0100 

hello,

your users are loggin into windows with their own client workstation ?
this works perfectly here. what doesn't work is using a rdp client to
use windows 2003 terminal services.

it works if i'm loggin into terminal services authenticating against
the windows kdc. then issue a kinit && aklog.

what i really would like to have is logging into windows terminal
services via mit kdc, then do a ms2mit and aklog (wake is capable of
doing this during startup) :)


On Wed, 2003-12-10 at 15:30, Christopher D. Clausen wrote:
> I have Windows 2003 machines setup with a trust to a MIT Kerberos Realm
> for single sign-on and users succesfully receive tickets and then tokens
> by a logon script that simply runs Doug Engert's gssklog (although it
> required some modifications to the Kerberos libraries on the server that
> runs gssklogd).
> 
> I made no modifications to the trusted MIT realm for AFS, as I had no
> permission to do so.  I do have gssklog service principals added to the
> Windows domain so that gssklog works correctly.
> 
> In theory, you should be able to do the same thing using ms2mit and then
> aklog, although I have not fully tested it.  Or do you have an aklog
> that reads the Microsoft credentials cache?
> 
> On 2003 server, you probably want to copy /y C:\windows\afs*
> %userprofile%\windows in a logon script to ensure that each user has a
> copy of the AFS config files.  (I wish this was moved to the registry.)
> Windows 2003 maintains a seperate "Windows" directory per-user to enable
> per-user settings on programs that write config files to C:\windows.
> There are issues with AFS because the service runs as SYSTEM and
> afscreds runs as a user.  They look in different places.  Hopefully, you
> installed AFS from "install mode" (run change user /install from a cmd
> prompt).
> 
> <<CDC
> Christopher D, Clausen
> ACM@UIUC SysAdmin
> 
> Jeffrey Altman <jaltman@columbia.edu> wrote:
> > If you are logging into Windows via a MIT KDC then Windows is going to
> > look to the KDC for service principals to authenticate to local SMB
> > services.  Look in the KDC log for unknown service principal errors.
> > You are going to need to install additional service principals in the
> > KDC to support the proper operation of Windows.
> >
> > Jeffrey Altman
> >
> >
> > Holger Brückner wrote:
> >
> >> some more information:
> >>
> >> the openafs client doesn't work correctly when i use the mit kdc for
> >> password authentication (this windows server has a trust on a mit kdc
> >> for single sign on).
> >> symptom: i don't see any volume/file server preferences in the
> >> advanced configuration tab.
> >>
> >> it works correctly when i'm authenticate against the windows domain
> >> (same user).
> >>
> >> any further suggestions ?
> >>
> >> terminal server is running windows 2003 server standard with all
> >> available hotfixes.
> >>
> >> thanks a lot
> >>
> >> Holger Brueckner
> >> net-labs Systemhaus GmbH
> 
> _______________________________________________
> OpenAFS-info mailing list
> OpenAFS-info@openafs.org
> https://lists.openafs.org/mailman/listinfo/openafs-info