[OpenAFS] Windows Kerberos & OpenAFS Plugin Issues

Tim Schaab tim@geology.wisc.edu
Wed, 09 May 2007 12:52:13 -0500 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Greetings,

Are there any tips out there on how to debug my problem of the Network
Identity Manager not being able to obtain the AFS tokens?

I've been searching for the past few days on info on my problem. I am
setting up a proof on concept system to test Kerberos & OpenAFS for
rollout in the department. On the Linux side, everything is fine. On
Windows, I am having some issues with the Network Identity Manager.

When I try to obtain tokens for Kerberos 5 and my AFS cell I get the
Kerberos TGT, but no AFS tokens. It gives me an error saying
"Credentials could not be obtained for cell <cell name>". On the
Kerberos KDC, I get this error in the logs:

- -- START krb5kdc.log --

May 09 11:43:04 kdc1.geology.wisc.edu krb5kdc[4081](info): TGS_REQ (1
etypes {1}) 144.92.X.X: PROCESS_TGS: authtime 0,  <unknown client> for
afs/geology.wisc.edu@GEOLOGY.WISC.EDU, Clock skew too great
May 09 11:43:04 kdc1.geology.wisc.edu krb5kdc[4081](info): TGS_REQ (1
etypes {1}) 144.92.X.X: PROCESS_TGS: authtime 0,  <unknown client> for
afs/geology.wisc.edu@GEOLOGY.WISC.EDU, Clock skew too great
May 09 11:43:04 kdc1.geology.wisc.edu krb5kdc[4081](info): TGS_REQ (1
etypes {1}) 144.92.X.X: PROCESS_TGS: authtime 0,  <unknown client> for
afs/geology.wisc.edu@GEOLOGY.WISC.EDU, Clock skew too great
May 09 11:43:04 kdc1.geology.wisc.edu krb5kdc[4081](info): TGS_REQ (1
etypes {1}) 144.92.X.X: PROCESS_TGS: authtime 0,  <unknown client> for
afs/geology.wisc.edu@GEOLOGY.WISC.EDU, Clock skew too great

- -- END krb5kdc.log --

Clock skew shouldn't be an issue though since the KDC, AFS server, and
client are all synced up almost to the second. In addition, if I use the
AFS client window instead of the NIM, I can obtain an AFS token and the
NIM can even see the token I received from the AFS client.

The AFS mounts work after using the AFS client to get the tokens, but
it's not an ideal process to go through. Can anyone out there lend a
quick hand to get the AFS/NIM integration working?

Cheers,

Tim
- --
/*********************************************************\
| Tim Schaab                |         Computer Facilities |
| 608-262-3738              |        tim@geology.wisc.edu |
| UW-Madison                |        Geology & Geophysics |
\******** GPG Key: http://dev-zero.org/pubkey.asc ********/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFGQgpNCR3ITS1QXGYRAsvgAJ44cRojv8kRHwozeGGDkKMrlg85kACdEzby
Wdc/oGOqeTsLa3xQhFfpsLY=
=b+sk
-----END PGP SIGNATURE-----