[OpenAFS] Problems getting tickets on logon
Wed, 05 May 2010 11:44:58 -0400
I'd prefer to get a TGT during the logon process.
Quoting an email on the kerberos list from a year ago (subject: KfW and
NiM getting mutliple TGT's, David Bear):
> NIM does not obtain the credentials. The KFW network provider
> (kfwlogon.dll) does this if and only if:
> 1. the password for the AD and MIT realms are the same
> 2. kfwlogon.dll is installed
> 3. the default realm in the krb5.ini file is the MIT realm
> The NIM obtain new creds at startup does not affect the kfwlogon.dll.
> What it does is prompt the user for credentials if there are none
> available at startup.
The passwords for our AD/MIT accounts match, kfwlogon.dll is installed
and I have confirmed it is the same arch as the OS, and the default
realm in krb5.ini is the MIT realm.
You then suggested to turn on debug event logging with
Debug DWORD 0x01. This doesn't seem to work - nothing is shown in the
application event log regarding KFW after a reboot and subsequent logon.
On 5/4/2010 5:37 PM, Stephen Joyce wrote:
> Hi Jeff,
> Thanks for replying.
> I think what Justin is trying to do is log into a PC in an AD domain
> (using a local or domain account), obtain krb5 tickets in an MIT realm,
> get tokens in an AFS cell (afs/cell@MIT.REALM), and optionally get
> tokens in a second AFS cell (afs@MIT.REALM).
> The principal names match. The passwords match. He has this working on a
> test machine in a test AD domain, but replicating it on a machine in a
> different AD domain is failing.
> I'm under the impression, perhaps mistaken(?), that a tgt in NIM is
> necessary for NIM to renew tickets and AFS tokens past the default
justin brinegar firstname.lastname@example.org
assistant windows administrator 919.962.6494 (v)
physics and astronomy, UNC Chapel Hill 919.962.0480 (f)