[OpenAFS] aklog -4 magically makes things work?
Eric Jonas
jonas@MIT.EDU
Fri, 10 Dec 2004 08:44:26 -0500
> > Actually, the mwl.ai.mit.edu cell is running 1.3.71, but I will try
> >upgrading the windows machine to 1.3.75 today and using the suggestions
> >below. Thanks!
> > ...Eric Jonas
>
>
> What is the cell using for authentication?
> Does it obtain afs service tickets using the ATHENA.MIT.EDU principal?
We're running our own kerberos realm, the principals are from our
MWL.AI.MIT.EDU realm. Our kerberos server is using the most recent
version of kerberos in debian-stable, and most of our clients are linux
machines running 1.2.11 as packaged by MIT.
I upgraded the windows machine to 1.3.75, and enabled the Use524
registry key, and it all now works. To recap, we have:
1. users loging in to the windows machine via the kerberos principals in
our MWL.AI.MIT.EDU realm via an MIT-kerberos KDC.
2. Using the latest version of KfW, leash can see these tickets and
interact with them.
3. Now, using the above steps, the same single sign-on gives us afs
tokens that let the user use openafs to access their home directory.
It's like a ghetto version of win-athena, it works really well. The only
downside is that users must first "exist" on the windows machine before
someone can log in; I've solved this by running the cygwin sshd on the
windows machine and once a day sshing in and synchronizing user
principal names from my KDC with the accounts on the windows machine
(and giving the accounts on the windows machine "dummy passwords",
i.e. the authentication itself is all still through kerberos).
I never thought the interoperability would work this smoothly; thanks
for the help! If anyone else is interested in trying this and wants me
to write up more detailed instructions, I'd be happy to.
Thanks again,
...Eric