[OpenAFS] Windows XP SP2, OpenAFS 1.4.3rc3, KfW 2.6.5
Douglas E. Engert
deengert@anl.gov
Wed, 14 Mar 2007 13:52:14 -0500
James Rogers wrote:
> I'm having a problem getting OpenAFS 1.4.3 and KfW 2.6.5 working
> properly. I'm working on Windows XP SP2 joined to a Windows 2003 Active
> Directory domain. I installed and configured both clients (OpenAFS and
> KfW). When I login to the domain with my user account I get AFS tokens
> and Kerberos V tickets (per the leash32 gui), but I receive an "Access
> is Denied" message when attempting to navigate to any AFS directory such
> as: \\afs\nd.edu\. I'm not sure if this is of any relevance, but our
> Active Directory domain and our MIT Kerberos V realm are named the same
> ("ND.EDU").
If the AD domain and the Kerberos realm have the same name (but not the same
KDCs) you have a problem.
Some code will see ..@ND.EDU and try and use the KDCs for AD. Some code
will try and use your MIT Kerberos V realm. AFS will only be the first
of many problems you will have you you try and use the same realm name
for both. (For example the DNS SRV records can only point at one. KfW
if it imports tickets from Windows then trys to use the TGT against
you MIT Kerberos V realm.
Options:
Rename one of the realms, and maybe use cross realm between them.
Just use the AD KDCs for everything.
>
> I disabled the use of Kerberos IV because I need to get pure Kerb5
> authentication working so we can plan to phase out its use here at Notre
> Dame.
>
> Any ideas what could be causing this problem?
>
> --James
> Univ. of Notre Dame
> Systems Engineer
>
>
> _______________________________________________
> OpenAFS-info mailing list
> OpenAFS-info@openafs.org
> https://lists.openafs.org/mailman/listinfo/openafs-info
>
>
--
Douglas E. Engert <DEEngert@anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444