[OpenAFS] AFS Windows Network ID Manager Plugin Configuration

John P Janosik jpjanosi@us.ibm.com
Wed, 23 Mar 2011 11:21:47 -0500 

--0__=09BBF2CFDFC506018f9e8a93df938690918c09BBF2CFDFC50601
Content-type: text/plain; charset=US-ASCII
Content-transfer-encoding: quoted-printable



Hopefully this is the right place for questions on useing Network Ident=
ity
Manager use with AFS.  I'm trying to set up a Windows 7 client to acces=
s
multiple AFS cells while the cells transition from kaserver to a krb5 k=
dc.
The default cell will be the last to migrate to krb5.  We have IBM AFS
servers that don't support v5 tickets and will for a while, so I need t=
o
use krb524d.

For the default cell I'm able to get tokens only by using klog on the
command line and they work so I'm able to access that AFS cell.  I've a=
dded
identities for two test krb5 realms/AFS cells into netidmgr and
added/updated the AFS tab in the identity configuration for each to spe=
cify
the correct cell for each realm and set the method to "Kerberos v5 to v=
4".
When I try to obtain new credentials for either of these realms/cells, =
I
get the following error:

   Getting AFS tokens...
   Credentials could not be obtained for cell <cell>.ibm.com

Looking at a wireshark trace I see a successful AS-REQ getting my krb5 =
tgt,
and a successful TGS-REQ to get the afs service ticket.  I don't see an=
y
attempt to talk to krb524d to convert that ticket to v4.

The nidmdbg.log shows:

11:04:00.312 [98] Begin: Getting AFS tokens... (child of [96])^M
11:04:00.312 2948[98] Info:(AfsCred) AFS New Creds :: ident
0000000001BF3E30^M
11:04:00.312 2948[98] Info:(AfsCred) Getting tokens for cell <cell>.ibm=
.com
with realm <REALM>.IBM.COM using method 2^M
11:04:00.312 2948[98] Debug(1): Trying Kerberos 5^M
11:04:00.375 2948[98] Debug(1): Trying Krb524^M
11:04:00.375 2948[98] Debug(1): Kerberos 4 not configured^M
11:04:00.375 2948[98] ERROR:(AfsCred) Credentials could not be obtained=
 for
cell <cell>.ibm.com.^M

I see in the netidmgr docs the following statement about kerberos 4:

     Obtaining Kerberos v4 tickets is optional and may not be available=
 on
all systems. When available, Kerberos v4 tickets may only be obtained f=
or
the default identity.

Does this statement just apply to the AFS plugin and krb524d as well as=

trying to get a v4 tgt or service ticket?  If so is there any way aroun=
d
this?  I will have multiple identities that I need to obtain AFS tokens=
 for
so setting one to default to get the kerberos 4 tab/config won't solve =
the
issue.

John Janosik
jpjanosi@us.ibm.com=

--0__=09BBF2CFDFC506018f9e8a93df938690918c09BBF2CFDFC50601
Content-type: text/html; charset=US-ASCII
Content-Disposition: inline
Content-transfer-encoding: quoted-printable

<html><body>
<p><font size=3D"2" face=3D"sans-serif">Hopefully this is the right pla=
ce for questions on useing Network Identity Manager use with AFS.  I'm =
trying to set up a Windows 7 client to access multiple AFS cells while =
the cells transition from kaserver to a krb5 kdc.  The default cell wil=
l be the last to migrate to krb5.  We have IBM AFS servers that don't s=
upport v5 tickets and will for a while, so I need to use krb524d.</font=
><br>
<br>
<font size=3D"2" face=3D"sans-serif">For the default cell I'm able to g=
et tokens only by using klog on the command line and they work so I'm a=
ble to access that AFS cell.  I've added identities for two test krb5 r=
ealms/AFS cells into netidmgr and added/updated the AFS tab in the iden=
tity configuration for each to specify the correct cell for each realm =
and set the method to &quot;Kerberos v5 to v4&quot;.  When I try to obt=
ain new credentials for either of these realms/cells, I get the followi=
ng error:</font><br>

<ul style=3D"padding-left: 18pt"><font size=3D"2" face=3D"sans-serif">G=
etting AFS tokens...</font><br>
<font size=3D"2" face=3D"sans-serif">Credentials could not be obtained =
for cell &lt;cell&gt;.ibm.com</font></ul>
<br>
<font size=3D"2" face=3D"sans-serif">Looking at a wireshark trace I see=
 a successful AS-REQ getting my krb5 tgt, and a successful TGS-REQ to g=
et the afs service ticket.  I don't see any attempt to talk to krb524d =
to convert that ticket to v4.</font><br>
<br>
<font size=3D"2" face=3D"sans-serif">The nidmdbg.log shows:</font><br>
<br>
<font size=3D"2" face=3D"sans-serif">11:04:00.312 [98] Begin: Getting A=
FS tokens... (child of [96])^M</font><br>
<font size=3D"2" face=3D"sans-serif">11:04:00.312 2948[98] Info:(AfsCre=
d) AFS New Creds :: ident 0000000001BF3E30^M</font><br>
<font size=3D"2" face=3D"sans-serif">11:04:00.312 2948[98] Info:(AfsCre=
d) Getting tokens for cell &lt;cell&gt;.ibm.com with realm &lt;REALM&gt=
;.IBM.COM using method 2^M</font><br>
<font size=3D"2" face=3D"sans-serif">11:04:00.312 2948[98] Debug(1): Tr=
ying Kerberos 5^M</font><br>
<font size=3D"2" face=3D"sans-serif">11:04:00.375 2948[98] Debug(1): Tr=
ying Krb524^M</font><br>
<font size=3D"2" face=3D"sans-serif">11:04:00.375 2948[98] Debug(1): Ke=
rberos 4 not configured^M</font><br>
<font size=3D"2" face=3D"sans-serif">11:04:00.375 2948[98] ERROR:(AfsCr=
ed) Credentials could not be obtained for cell &lt;cell&gt;.ibm.com.^M<=
/font><br>
<br>
<font size=3D"2" face=3D"sans-serif">I see in the netidmgr docs the fol=
lowing statement about kerberos 4:</font><br>
<br>
<font size=3D"3" face=3D"serif">     Obtaining Kerberos v4 tickets is o=
ptional and may not be available on all systems. When available, Kerber=
os v4 tickets may only be obtained for the default identity. </font><br=
>
<br>
<font size=3D"2" face=3D"sans-serif">Does this statement just apply to =
the AFS plugin and krb524d as well as trying to get a v4 tgt or service=
 ticket?  If so is there any way around this?  I will have multiple ide=
ntities that I need to obtain AFS tokens for so setting one to default =
to get the kerberos 4 tab/config won't solve the issue.</font><br>
<br>
<font size=3D"2" face=3D"sans-serif">John Janosik<br>
jpjanosi@us.ibm.com</font></body></html>=

--0__=09BBF2CFDFC506018f9e8a93df938690918c09BBF2CFDFC50601--