FW: [OpenAFS] Windows XP problems getting an AFS token when logged into a Kerberos Realm

Douglas E. Engert deengert@anl.gov
Tue, 30 Nov 2004 09:55:04 -0600


Jeffrey Altman wrote:

> As Doug pointed out privately, if you are using either of his ak5log or 
> gssklog tools to obtain tokens for Unix, then you are not using the same 
> key for the afs@ASU.EDU principal as the one which is used by the AFS 
> servers.  If the keys don't match you will not be able to communicate 
> with the server's in any mode which requires authentication.
> 
> In fact, I believe that if you are using ak5log that you should not have 
> an afs@ASU.EDU principal at all.  ak5log uses a principal called 
> afsx/asu.edu@ASU.EDU instead of afs@ASU.EDU.  gssklog also uses its own 
> principal called gssklog/asu.edu@ASU.EDU.

  (Actually: gssklog/<servername>@<realm>)

> 
> If you want to use ak5log or gssklog on Windows you can do so, you just 
> can't use the tools which come with OpenAFS for Windows to obtain your 
> tokens.   By removing the afs@ASU.EDU principal you will prevent OpenAFS 
> for Windows from succeeding to obtain a ticket which can be used as a 
> token.
>

You can still add the afs/asu.edu@ASU.EDU and use the OpenAFS and KfW in
parrallel with the gsslog and or ak5log that you already have.
The trick is to make sure each of these keys has a different kvno, so
they can all be added to the OpenAFS KeyFile. This is because the KeyFile
today is not a keytab file and has only keys and kvnos, and no principal
names.


> There was a series of discussions started on 2004-09-22 on both the 
> openafs-info and openafs-dev mailing lists which discussed the impact of 
> the use of ak5log and gssklog.  I suggest you review them if that is in 
> fact what you are using on Unix/Linux to obtain your tokens.
> 
> Jeffrey Altman
> 

-- 

  Douglas E. Engert  <DEEngert@anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444