[OpenAFS] Help with Windows, OpenAFS 1.7 and Heimdal
Eric Sturdivant
sturdiva@umd.edu
Thu, 15 Dec 2011 12:52:56 -0500 (EDT)
On Thu, 15 Dec 2011, Jeffrey Altman wrote:
> 32-bit NIM requires the krbv4w32.dll and krb524.dll from MIT KFW.
> A future Heimdal distribution will bundle them as an optional install
> item and a future NIM distribution will stop supporting Kerberos v4
> entirely.
>
> For now you can copy the DLLs from the MIT distribution and place them
> in your PATH.
>
This gets us a bit further, but now NIM fails getting AFS tokens. The
error message is "Credentials could not be obtained for cell
glue.umd.edu".
aklog -d shows:
C:\Users\Administrator>aklog -d
Authenticating to cell glue.umd.edu.
Getting v5 tickets: afs/glue.umd.edu@UMD.EDU
Kerberos error code returned by get_cred: -1765328234
aklog: Couldn't get glue.umd.edu AFS tickets: encryption type des-cbc-crc
is dis
abled
klist shows:
Credentials cache: API:tender@UMD.EDU
Principal: tender@UMD.EDU
Cache version: 0
Server: krbtgt/UMD.EDU@UMD.EDU
Client: tender@UMD.EDU
Ticket etype: aes256-cts-hmac-sha1-96, kvno 1
Ticket length: 307
Auth time: Dec 15 12:50:42 2011
End time: Dec 15 22:50:45 2011
Ticket flags: pre-authent, initial, forwardable
Addresses: addressless
but the des-cbc-crc type is allowed in the KDC, klist output from a unix
machine:
Server: afs/glue.umd.edu@UMD.EDU
Client: sturdiva@UMD.EDU
Ticket etype: des-cbc-crc, kvno 1
Ticket length: 310
Auth time: Dec 15 12:29:24 2011
Start time: Dec 15 12:29:39 2011
End time: Dec 16 12:29:25 2011
Ticket flags: forwarded, pre-authenticated, transited-policy-checked
Addresses: IPv4:128.8.236.234
Is this a local setting (on the windows machine) preventing the afs ticket
from being acquired? (tcpdump doesn't sohw any communication to the kdc's
when the aklog command is run).
--
Eric Sturdivant
University of Maryland
Office of Information Technology
Enterprise Unix Services