[OpenAFS] Help with Windows, OpenAFS 1.7 and Heimdal

Eric Sturdivant sturdiva@umd.edu
Thu, 15 Dec 2011 12:52:56 -0500 (EDT)

On Thu, 15 Dec 2011, Jeffrey Altman wrote:

> 32-bit NIM requires the krbv4w32.dll and krb524.dll from MIT KFW.
> A future Heimdal distribution will bundle them as an optional install
> item and a future NIM distribution will stop supporting Kerberos v4
> entirely.
> For now you can copy the DLLs from the MIT distribution and place them
> in your PATH.

This gets us a bit further, but now NIM fails getting AFS tokens. The 
error message is "Credentials could not be obtained for cell 

aklog -d shows:

C:\Users\Administrator>aklog -d
Authenticating to cell glue.umd.edu.
Getting v5 tickets: afs/glue.umd.edu@UMD.EDU
Kerberos error code returned by get_cred: -1765328234
aklog: Couldn't get glue.umd.edu AFS tickets: encryption type des-cbc-crc 
is dis

klist shows:

Credentials cache: API:tender@UMD.EDU
         Principal: tender@UMD.EDU
     Cache version: 0

Server: krbtgt/UMD.EDU@UMD.EDU
Client: tender@UMD.EDU
Ticket etype: aes256-cts-hmac-sha1-96, kvno 1
Ticket length: 307
Auth time:  Dec 15 12:50:42 2011
End time:   Dec 15 22:50:45 2011
Ticket flags: pre-authent, initial, forwardable
Addresses: addressless

but the des-cbc-crc type is allowed in the KDC, klist output from a unix 

Server: afs/glue.umd.edu@UMD.EDU
Client: sturdiva@UMD.EDU
Ticket etype: des-cbc-crc, kvno 1
Ticket length: 310
Auth time:  Dec 15 12:29:24 2011
Start time: Dec 15 12:29:39 2011
End time:   Dec 16 12:29:25 2011
Ticket flags: forwarded, pre-authenticated, transited-policy-checked
Addresses: IPv4:

Is this a local setting (on the windows machine) preventing the afs ticket 
from being acquired? (tcpdump doesn't sohw any communication to the kdc's 
when the aklog command is run).

Eric Sturdivant
University of Maryland
Office of Information Technology
Enterprise Unix Services