[OpenAFS] gssklogd access from windows

Chris McClimans openafs-info@mcclimans.net
Thu, 4 Sep 2003 13:08:31 -0500 

Here are some gssklog attempts from a windows box that is part of the 
TTU.EDU realm/domain.
The afs cell is cs.ttu.edu in realm CS.TTU.EDU
There is a one way trust where users in TTU.EDU can get 
krbtgt/CS.TTU.EDU but not the other way around.

I think the problem here is that the tickets retrieved from MIT and MS 
differ somewhat, but in what manner I am unsure.
Any comments or suggestions are welcome.

## Attempt to use gssklog using ms credential cache. (this would be the 
prefered way)
## I have logged into the computer using the normal GINA as 
cmcclima@TTU.EDU

C:\gssklog>klist tickets

Cached Tickets: (5)

    Server: krbtgt/TTU.EDU@TTU.EDU
       KerbTicket Encryption Type: RSADSI RC4-HMAC(NT)
       End Time: 9/4/2003 22:45:16
       Renew Time: 9/11/2003 12:45:16


    Server: krbtgt/TTU.EDU@TTU.EDU
       KerbTicket Encryption Type: RSADSI RC4-HMAC(NT)
       End Time: 9/4/2003 22:45:16
       Renew Time: 9/11/2003 12:45:16


    Server: CERBERUS$@TTU.EDU
       KerbTicket Encryption Type: RSADSI RC4-HMAC(NT)
       End Time: 9/4/2003 22:45:16
       Renew Time: 9/11/2003 12:45:16


    Server: ldap/stheno.ttu.edu/ttu.edu@TTU.EDU
       KerbTicket Encryption Type: RSADSI RC4-HMAC(NT)
       End Time: 9/4/2003 22:45:16
       Renew Time: 9/11/2003 12:45:16


    Server: STHENO$@TTU.EDU
       KerbTicket Encryption Type: RSADSI RC4-HMAC(NT)
       End Time: 9/4/2003 22:45:16
       Renew Time: 9/11/2003 12:45:16


C:\gssklog>gssklog.exe -ms
SSPI-error init_sec_context failed: major:80090303 minor:0012f200
The specified target is unknown or unreachable

Problem 2 with server elm.cs.ttu.edu, trying next
SSPI-error init_sec_context failed: major:80090303 minor:0012f1f0
The specified target is unknown or unreachable

Problem 2 with server oak.cs.ttu.edu
Failed code = 2

## Attempt to use gssklog via MIT (converting MS credentials to MIT 
cache)
## I have logged into the computer via normal GINA as cmcclima@TTU.EDU
## however this time klist/ kinit / ms2mit etc are all the MIT versions.

C:\Documents and Settings\cmcclima\Desktop\gssklog-mit> klist
klist: No credentials cache found (ticket cache API:krb5cc)

C:\Documents and Settings\cmcclima\Desktop\gssklog-mit>ms2mit

C:\Documents and Settings\cmcclima\Desktop\gssklog-mit>klist
Ticket cache: API:krb5cc
Default principal: cmcclima@TTU.EDU

Valid starting     Expires            Service principal
09/04/03 12:45:16  09/04/03 22:45:16  krbtgt/TTU.EDU@TTU.EDU
         renew until 09/11/03 12:45:16

C:\Documents and Settings\cmcclima\Desktop\gssklog-mit>gssklog
GSS-error init_sec_context failed: major:000d0000 minor:00000000
Miscellaneous failure
No error
Problem 2 with server elm.cs.ttu.edu, trying next
GSS-error init_sec_context failed: major:000d0000 minor:00000000
Miscellaneous failure
No error
Problem 2 with server oak.cs.ttu.edu
Failed code = 2

C:\Documents and Settings\cmcclima\Desktop\gssklog-mit>gssklog -ms
SSPI-error init_sec_context failed: major:80090303 minor:0012f200
The specified target is unknown or unreachable

Problem 2 with server elm.cs.ttu.edu, trying next
SSPI-error init_sec_context failed: major:80090303 minor:0012f1f0
The specified target is unknown or unreachable

Problem 2 with server oak.cs.ttu.edu
Failed code = 2


## Attempt to use gssklog via MIT only, starting with an empty 
credential cache
## This is the only method that appears to work (and seems to prove 
that the servers are
## configured correctly.) What might I have configured wrong in the 
above attempts?

C:\Documents and Settings\cmcclima\Desktop\gssklog-mit>klist
klist: No credentials cache found (ticket cache API:krb5cc)

C:\Documents and Settings\cmcclima\Desktop\gssklog-mit>kinit 
cmcclima@TTU.EDU
Password for cmcclima@TTU.EDU:

C:\Documents and Settings\cmcclima\Desktop\gssklog-mit>klist
Ticket cache: API:krb5cc
Default principal: cmcclima@TTU.EDU

Valid starting     Expires            Service principal
09/04/03 12:49:26  09/04/03 22:49:26  krbtgt/TTU.EDU@TTU.EDU

C:\Documents and Settings\cmcclima\Desktop\gssklog-mit>gssklog

C:\Documents and Settings\cmcclima\Desktop\gssklog-mit>klist
Ticket cache: API:krb5cc
Default principal: cmcclima@TTU.EDU

Valid starting     Expires            Service principal
09/04/03 12:49:26  09/04/03 22:49:26  krbtgt/TTU.EDU@TTU.EDU
09/04/03 12:49:26  09/04/03 22:49:26  krbtgt/CS.TTU.EDU@TTU.EDU
09/04/03 12:49:35  09/04/03 22:49:26  gssklog/elm.cs.ttu.edu@CS.TTU.EDU

C:\Documents and Settings\cmcclima\Desktop\gssklog-mit>tokens

Tokens held by the Cache Manager:

User cmcclima's tokens for afs@cs.ttu.edu [Expires Sep 04 22:49]
    --End of list --