[OpenAFS] Problems getting tickets on logon

Justin Brinegar brinegar@physics.unc.edu
Wed, 05 May 2010 17:25:42 -0400

I've narrowed it down a bit today with some more testing.  Having read 
the release notes and followed the directions/suggestions for 64 bit 
Windows, is there something else I should be aware of?  The process 
works as expected on 32 bit Windows 7.

I still have some more testing to do regarding 64 bit machines and 
blocked GPO inheritance, but any suggestions are appreciated in getting 
this to work correctly.


On 5/5/2010 11:44 AM, Justin Brinegar wrote:
> Hi Jeff,
> I'd prefer to get a TGT during the logon process.
> Quoting an email on the kerberos list from a year ago (subject: KfW and
> NiM getting mutliple TGT's, David Bear):
>  > NIM does not obtain the credentials. The KFW network provider
>  > (kfwlogon.dll) does this if and only if:
>  >
>  > 1. the password for the AD and MIT realms are the same
>  > 2. kfwlogon.dll is installed
>  > 3. the default realm in the krb5.ini file is the MIT realm
>  >
>  > The NIM obtain new creds at startup does not affect the kfwlogon.dll.
>  > What it does is prompt the user for credentials if there are none
>  > available at startup.
> The passwords for our AD/MIT accounts match, kfwlogon.dll is installed
> and I have confirmed it is the same arch as the OS, and the default
> realm in krb5.ini is the MIT realm.
> You then suggested to turn on debug event logging with
> HKLM\System\CurrentControlSet\Services\MIT Kerberos\NetworkProvider
> Debug DWORD 0x01. This doesn't seem to work - nothing is shown in the
> application event log regarding KFW after a reboot and subsequent logon.
> Justin
> On 5/4/2010 5:37 PM, Stephen Joyce wrote:
>> Hi Jeff,
>> Thanks for replying.
>> I think what Justin is trying to do is log into a PC in an AD domain
>> (using a local or domain account), obtain krb5 tickets in an MIT realm,
>> get tokens in an AFS cell (afs/cell@MIT.REALM), and optionally get
>> tokens in a second AFS cell (afs@MIT.REALM).
>> The principal names match. The passwords match. He has this working on a
>> test machine in a test AD domain, but replicating it on a machine in a
>> different AD domain is failing.
>> I'm under the impression, perhaps mistaken(?), that a tgt in NIM is
>> necessary for NIM to renew tickets and AFS tokens past the default
>> lifetime.

  justin brinegar                               brinegar@physics.unc.edu
  assistant windows administrator                       919.962.6494 (v)
  physics and astronomy, UNC Chapel Hill                919.962.0480 (f)