[OpenAFS] Problems getting tickets on logon

Justin Brinegar brinegar@physics.unc.edu
Tue, 04 May 2010 16:24:03 -0400

I'm having some problems getting Network Identity Manager/KFW to obtain 
tickets in a foreign kerberos realm at logon - details are below.  I've 
got this to work on one machine, but I can't replicate it on another.

The setup:

wedge is in atestdomain.physics.unc.edu, 32 bit Windows 7, UAC off. 
Logging on with WEDGE\brinegar gets me a MITKERB.UNC.EDU tgt (the 
passwords match).  Works as expected.  WEDGE\brinegar is an admin.  I 
have next to no GPOs set on this machine and I control atestdomain.  No 
trust relationships are involved.

screw is in adproduction.unc.edu, 64 bit Windows 7, UAC off.  Logging on 
with ADPRODUCTION\brinegar gets me an ADPRODUCTION.UNC.EDU tgt (though 
it does not with UAC ON, or at least I can't see it in NIM), but I'm 
expecting to get a MITKERB.UNC.EDU tgt as well (the passwords match), 
since I have configured NIM exactly the same as wedge above.  I 
experience the same symptom when I log on with a local account 

What would cause me to not get the MITKERB.UNC.EDU ticket on screw?  The 
krb5.ini files for the machines are the same, each can resolve the 
proper KDCs.  I have installed KFW 32/64 and NIMv2 32/64 - the 64bit 
netidmgr.exe launches upon logon with screw.  Once I get the ticket on 
logon, I'll use it to get tokens for two AFS cells automatically (works 
fine on wedge).

KFW - 3.2.2
screw/AFS - 1.5.7400
wedge/AFS - 1.5.7200

I'm in communication with the Domain Admin for adproduction.unc.edu, but 
I wanted to check with the community.

Any cookbook recipes or ideas are welcome.