[OpenAFS] Problems getting tickets on logon
Wed, 05 May 2010 17:25:42 -0400
I've narrowed it down a bit today with some more testing. Having read
the release notes and followed the directions/suggestions for 64 bit
Windows, is there something else I should be aware of? The process
works as expected on 32 bit Windows 7.
I still have some more testing to do regarding 64 bit machines and
blocked GPO inheritance, but any suggestions are appreciated in getting
this to work correctly.
On 5/5/2010 11:44 AM, Justin Brinegar wrote:
> Hi Jeff,
> I'd prefer to get a TGT during the logon process.
> Quoting an email on the kerberos list from a year ago (subject: KfW and
> NiM getting mutliple TGT's, David Bear):
> > NIM does not obtain the credentials. The KFW network provider
> > (kfwlogon.dll) does this if and only if:
> > 1. the password for the AD and MIT realms are the same
> > 2. kfwlogon.dll is installed
> > 3. the default realm in the krb5.ini file is the MIT realm
> > The NIM obtain new creds at startup does not affect the kfwlogon.dll.
> > What it does is prompt the user for credentials if there are none
> > available at startup.
> The passwords for our AD/MIT accounts match, kfwlogon.dll is installed
> and I have confirmed it is the same arch as the OS, and the default
> realm in krb5.ini is the MIT realm.
> You then suggested to turn on debug event logging with
> HKLM\System\CurrentControlSet\Services\MIT Kerberos\NetworkProvider
> Debug DWORD 0x01. This doesn't seem to work - nothing is shown in the
> application event log regarding KFW after a reboot and subsequent logon.
> On 5/4/2010 5:37 PM, Stephen Joyce wrote:
>> Hi Jeff,
>> Thanks for replying.
>> I think what Justin is trying to do is log into a PC in an AD domain
>> (using a local or domain account), obtain krb5 tickets in an MIT realm,
>> get tokens in an AFS cell (afs/cell@MIT.REALM), and optionally get
>> tokens in a second AFS cell (afs@MIT.REALM).
>> The principal names match. The passwords match. He has this working on a
>> test machine in a test AD domain, but replicating it on a machine in a
>> different AD domain is failing.
>> I'm under the impression, perhaps mistaken(?), that a tgt in NIM is
>> necessary for NIM to renew tickets and AFS tokens past the default
justin brinegar firstname.lastname@example.org
assistant windows administrator 919.962.6494 (v)
physics and astronomy, UNC Chapel Hill 919.962.0480 (f)