[OpenAFS] Problems getting tickets on logon

Justin Brinegar brinegar@physics.unc.edu
Wed, 05 May 2010 11:44:58 -0400

Hi Jeff,

I'd prefer to get a TGT during the logon process.

Quoting an email on the kerberos list from a year ago (subject: KfW and 
NiM getting mutliple TGT's, David Bear):

 > NIM does not obtain the credentials.  The KFW network provider
 > (kfwlogon.dll) does this if and only if:
 >   1. the password for the AD and MIT realms are the same
 >   2. kfwlogon.dll is installed
 >   3. the default realm in the krb5.ini file is the MIT realm
 > The NIM obtain new creds at startup does not affect the kfwlogon.dll.
 > What it does is prompt the user for credentials if there are none
 > available at startup.

The passwords for our AD/MIT accounts match, kfwlogon.dll is installed 
and I have confirmed it is the same arch as the OS, and the default 
realm in krb5.ini is the MIT realm.

You then suggested to turn on debug event logging with 
HKLM\System\CurrentControlSet\Services\MIT Kerberos\NetworkProvider 
Debug  DWORD  0x01.  This doesn't seem to work - nothing is shown in the 
application event log regarding KFW after a reboot and subsequent logon.


On 5/4/2010 5:37 PM, Stephen Joyce wrote:
> Hi Jeff,
> Thanks for replying.
> I think what Justin is trying to do is log into a PC in an AD domain
> (using a local or domain account), obtain krb5 tickets in an MIT realm,
> get tokens in an AFS cell (afs/cell@MIT.REALM), and optionally get
> tokens in a second AFS cell (afs@MIT.REALM).
> The principal names match. The passwords match. He has this working on a
> test machine in a test AD domain, but replicating it on a machine in a
> different AD domain is failing.
> I'm under the impression, perhaps mistaken(?), that a tgt in NIM is
> necessary for NIM to renew tickets and AFS tokens past the default
> lifetime.

  justin brinegar                               brinegar@physics.unc.edu
  assistant windows administrator                       919.962.6494 (v)
  physics and astronomy, UNC Chapel Hill                919.962.0480 (f)