[OpenAFS] Re: Windows AFS client / Kerberos V

[Joe Buehler]

Rodney M Dyer wrote:

> HOWEVER!  Performing the full install of the Kerb for Windows client
> using the MSI would probably be just as easy, if not more "proper".

Thank you for the detailed information, installing the MSI is what I plan
on eventually.  The problem at the moment is that the MSI approach is
serious pain (mainly for political reasons) so I am looking for a more
incremental approach.

I finally found what I think I am looking for here:

http://www.openafs.org/pipermail/openafs-info/2003-July/010159.html

which says:

> OpenAFS ships with a number of authentication-related utilities for use on 
> clients; the most notable of these is 'klog'.  On UNIX systems (including 
> MacOS X), these tools speak the kaserver protocol; they will work with a 
> real kaserver, or a Heimdal KDC configured to handle kaserver requests, or 
> an MIT KDC running fakeka.  On Windows, these tools speak the Kerberos IV 
> protocol; they will work with a real kaserver, or a Heimdal KDC built with 
> krb4 support, or any MIT KDC.

OK, so I now have an MIT KDC with Kerberos IV support enabled.  I try to obtain
tokens via the usual method (padlock in systray) and sure enough, I can get them.
However, as soon as I try to access a directory in Windows Explorer that requires
valid credentials, I get an access denied popup and notice that my tokens have
been discarded (padlock has red X).

Any idea what is causing this behavior?
-- 
Joe Buehler