FW: [OpenAFS] Windows XP problems getting an AFS token when logged
into a Kerberos Realm
Douglas E. Engert
deengert@anl.gov
Tue, 30 Nov 2004 09:55:04 -0600
Jeffrey Altman wrote:
> As Doug pointed out privately, if you are using either of his ak5log or
> gssklog tools to obtain tokens for Unix, then you are not using the same
> key for the afs@ASU.EDU principal as the one which is used by the AFS
> servers. If the keys don't match you will not be able to communicate
> with the server's in any mode which requires authentication.
>
> In fact, I believe that if you are using ak5log that you should not have
> an afs@ASU.EDU principal at all. ak5log uses a principal called
> afsx/asu.edu@ASU.EDU instead of afs@ASU.EDU. gssklog also uses its own
> principal called gssklog/asu.edu@ASU.EDU.
(Actually: gssklog/<servername>@<realm>)
>
> If you want to use ak5log or gssklog on Windows you can do so, you just
> can't use the tools which come with OpenAFS for Windows to obtain your
> tokens. By removing the afs@ASU.EDU principal you will prevent OpenAFS
> for Windows from succeeding to obtain a ticket which can be used as a
> token.
>
You can still add the afs/asu.edu@ASU.EDU and use the OpenAFS and KfW in
parrallel with the gsslog and or ak5log that you already have.
The trick is to make sure each of these keys has a different kvno, so
they can all be added to the OpenAFS KeyFile. This is because the KeyFile
today is not a keytab file and has only keys and kvnos, and no principal
names.
> There was a series of discussions started on 2004-09-22 on both the
> openafs-info and openafs-dev mailing lists which discussed the impact of
> the use of ak5log and gssklog. I suggest you review them if that is in
> fact what you are using on Unix/Linux to obtain your tokens.
>
> Jeffrey Altman
>
--
Douglas E. Engert <DEEngert@anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444