[OpenAFS] Problems getting tickets on logon
Tue, 4 May 2010 17:37:28 -0400 (EDT)
Thanks for replying.
I think what Justin is trying to do is log into a PC in an AD domain (using
a local or domain account), obtain krb5 tickets in an MIT realm, get
tokens in an AFS cell (afs/cell@MIT.REALM), and optionally get tokens in
a second AFS cell (afs@MIT.REALM).
The principal names match. The passwords match. He has this working on a
test machine in a test AD domain, but replicating it on a machine in a
different AD domain is failing.
I'm under the impression, perhaps mistaken(?), that a tgt in NIM is
necessary for NIM to renew tickets and AFS tokens past the default
On Tue, 4 May 2010, Jeffrey Altman wrote:
> On 5/4/2010 4:24 PM, Justin Brinegar wrote:
>> What would cause me to not get the MITKERB.UNC.EDU ticket on screw? The
>> krb5.ini files for the machines are the same, each can resolve the
>> proper KDCs. I have installed KFW 32/64 and NIMv2 32/64 - the 64bit
>> netidmgr.exe launches upon logon with screw. Once I get the ticket on
>> logon, I'll use it to get tokens for two AFS cells automatically (works
>> fine on wedge).
> AFS token acquisition at logon is performed using the afslogon.dll
> network provider and is independent of the kfwlogon.dll. It gets its
> own Kerberos TGT and uses its per domain configuration for deciding what
> realm to obtain a TGT from and which cells to obtain tokens for.
>> KFW - 3.2.2
>> NIM - 18.104.22.1684
>> screw/AFS - 1.5.7400
>> wedge/AFS - 1.5.7200
>> I'm in communication with the Domain Admin for adproduction.unc.edu, but
>> I wanted to check with the community.
>> Any cookbook recipes or ideas are welcome.
> I think you need to start off by explaining what you are trying to
> accomplish . Do you want a TGT acquiring during the logon process or do
> you want NIM to import a TGT from the Microsoft LSA cache and then do
> something with it?
> Jeffrey Altman