[OpenAFS] KfW on Windows 7 / 64 bit

Jeffrey Altman jaltman@secure-endpoints.com
Wed, 02 Feb 2011 13:04:05 -0500

This is an OpenPGP/MIME signed message (RFC 2440 and 3156)
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

On 2/2/2011 12:39 PM, John Tang Boyland wrote:
> I have a student who is trying to get Kerberos/OpenAFS working on
> Windows 7 (64 bit).  But not even NIM works, it says that
> 	validity of identity couldn't be determined
> When they run kinit in a command.com window they get the same error
> with one (I am typing this from memory) about not being able to
> contact a KDC for the desired realm.
> And yet,=20
> 	ping kerberos.cs.uwm.edu
> works just fine.

MIT Kerberos provides very few mechanisms for debugging the internal of
the library operations.  Things you can do:

* Turn on Network Identity Manager logging from the General page
  and confirm that the identity the user is entering matches
  the one in the KDB

* Examine the KDC logs to see if a request is in fact being
  received for that user and what error response is being sent.

* Use wireshark or Microsoft netmon to trace the network traffic
  and confirm that the user is in fact sending requests to the
  correct KDCs.

A failure to contact a KDC for the desired realm can be a failure to
identify what the KDCs for the desired realm are.

Since the user is on Windows 7, if a krb5.ini file is being used
to specify the configuration data for the realm and it is stored
in the %windir% directory and the user is not an Administrator
for the machine it is quite likely that the user cannot read the

On Windows Vista/7/2008 the proper location for such a configuration
file is \ProgramData\Kerberos but because KFW 3.2 was released before
Vista and due to historical reasons, that is not the default location.
Sites that deploy KFW when transforming the MSI installer to include
their own krb5.ini file should store it at that location and set the
system-wide KRB5_CONFIG environment variable to refer to it.

> They are not aware of any firewall issues that would be=20
> preventing kerberos from getting through. =20
> But that's the only thing I could think of,
> since the server is accessible to everyone else,
> and is accessible from their computer using ping.
> We still haven't solved earlier problems either.
> I find it bizarre how four people running the latest
> OpenAFS on Windows 7 on 64 bit machines can get four
> completely different results.

With all due respect, Kerberos issues are not OpenAFS issues.

Jeffrey Altman

Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

Version: GnuPG v1.4.9 (MingW32)