[OpenAFS] Problems getting tickets on logon

Stephen Joyce stephen@physics.unc.edu
Tue, 4 May 2010 17:37:28 -0400 (EDT)

Hi Jeff,

Thanks for replying.

I think what Justin is trying to do is log into a PC in an AD domain (using 
a local or domain account), obtain krb5 tickets in an MIT realm, get 
tokens in an AFS cell (afs/cell@MIT.REALM), and optionally get tokens in 
a second AFS cell (afs@MIT.REALM).

The principal names match. The passwords match. He has this working on a 
test machine in a test AD domain, but replicating it on a machine in a 
different AD domain is failing.

I'm under the impression, perhaps mistaken(?), that a tgt in NIM is 
necessary for NIM to renew tickets and AFS tokens past the default 

On Tue, 4 May 2010, Jeffrey Altman wrote:

> On 5/4/2010 4:24 PM, Justin Brinegar wrote:
>> What would cause me to not get the MITKERB.UNC.EDU ticket on screw?  The
>> krb5.ini files for the machines are the same, each can resolve the
>> proper KDCs.  I have installed KFW 32/64 and NIMv2 32/64 - the 64bit
>> netidmgr.exe launches upon logon with screw.  Once I get the ticket on
>> logon, I'll use it to get tokens for two AFS cells automatically (works
>> fine on wedge).
> AFS token acquisition at logon is performed using the afslogon.dll
> network provider and is independent of the kfwlogon.dll.  It gets its
> own Kerberos TGT and uses its per domain configuration for deciding what
> realm to obtain a TGT from and which cells to obtain tokens for.
>> KFW - 3.2.2
>> NIM -
>> screw/AFS - 1.5.7400
>> wedge/AFS - 1.5.7200
>> I'm in communication with the Domain Admin for adproduction.unc.edu, but
>> I wanted to check with the community.
>> Any cookbook recipes or ideas are welcome.
>> Justin
> I think you need to start off by explaining what you are trying to
> accomplish .  Do you want a TGT acquiring during the logon process or do
> you want NIM to import a TGT from the Microsoft LSA cache and then do
> something with it?
> Jeffrey Altman