[OpenAFS] Re: Windows TGS_REQ on alternate Netbios Names

Jason C. Wells jcw@highperformance.net
Fri, 28 Nov 2003 20:53:03 -0800 (PST)


On Fri, 28 Nov 2003, Jeffrey Altman wrote:

> Based upon the etypes list, this is a request coming from Windows
> itself.  My guess is that since you are logged into the machine via the
> Kerberos LSA, Windows is trying to authenticate the access to the SMB
> name published by OpenAFS with Kerberos.
>
> You will most likely have to add service principals to your KDC for the
> -AFS extended host names if you want to avoid the error messages.
> Remember that all of the principals for a given host have to use the
> same password.

That's what I had concluded after all.  I had hoped someone would be able
to point me to a cool registry hack that fixed windows icky behavior.

I tried monkeying around with the "Running AFS on Loopback" that I read
about in the AFS Wiki.  I later read your comments on disabling loopback
hack. Knowing that a future release will not support the loopback hack, I
decided against continuing it's use.

The nice thing about it was that W13-AFS didn't appear in the NBTSTAT -n
output for the "real" network interface.  For a while, the windows
kerberos madness stopped.  (I went through a bazillion iterations today,
so I may not be remembering correctly.)

But I do have a functioning single sign on network now.  Only MIT Kerberos
5 does my authentication now and everything I run uses it. w00t!

Later,
Jason