[OpenAFS] Problems getting tickets on logon
Justin Brinegar
brinegar@physics.unc.edu
Tue, 04 May 2010 16:24:03 -0400
I'm having some problems getting Network Identity Manager/KFW to obtain
tickets in a foreign kerberos realm at logon - details are below. I've
got this to work on one machine, but I can't replicate it on another.
The setup:
wedge is in atestdomain.physics.unc.edu, 32 bit Windows 7, UAC off.
Logging on with WEDGE\brinegar gets me a MITKERB.UNC.EDU tgt (the
passwords match). Works as expected. WEDGE\brinegar is an admin. I
have next to no GPOs set on this machine and I control atestdomain. No
trust relationships are involved.
screw is in adproduction.unc.edu, 64 bit Windows 7, UAC off. Logging on
with ADPRODUCTION\brinegar gets me an ADPRODUCTION.UNC.EDU tgt (though
it does not with UAC ON, or at least I can't see it in NIM), but I'm
expecting to get a MITKERB.UNC.EDU tgt as well (the passwords match),
since I have configured NIM exactly the same as wedge above. I
experience the same symptom when I log on with a local account
SCREW\brinegar.
What would cause me to not get the MITKERB.UNC.EDU ticket on screw? The
krb5.ini files for the machines are the same, each can resolve the
proper KDCs. I have installed KFW 32/64 and NIMv2 32/64 - the 64bit
netidmgr.exe launches upon logon with screw. Once I get the ticket on
logon, I'll use it to get tokens for two AFS cells automatically (works
fine on wedge).
KFW - 3.2.2
NIM - 2.0.0.304
screw/AFS - 1.5.7400
wedge/AFS - 1.5.7200
I'm in communication with the Domain Admin for adproduction.unc.edu, but
I wanted to check with the community.
Any cookbook recipes or ideas are welcome.
Justin