[OpenAFS] AFS Windows Network ID Manager Plugin Configuration

Jeffrey Altman jaltman@secure-endpoints.com
Wed, 23 Mar 2011 13:03:19 -0400

This is an OpenPGP/MIME signed message (RFC 2440 and 3156)
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

On 3/23/2011 12:21 PM, John P Janosik wrote:
> The nidmdbg.log shows:
> 11:04:00.312 [98] Begin: Getting AFS tokens... (child of [96])
> 11:04:00.312 2948[98] Info:(AfsCred) AFS New Creds :: ident
> 0000000001BF3E30
> 11:04:00.312 2948[98] Info:(AfsCred) Getting tokens for cell
> <cell>.ibm.com with realm <REALM>.IBM.COM using method 2
> 11:04:00.312 2948[98] Debug(1): Trying Kerberos 5
> 11:04:00.375 2948[98] Debug(1): Trying Krb524
> 11:04:00.375 2948[98] Debug(1): Kerberos 4 not configured
> 11:04:00.375 2948[98] ERROR:(AfsCred) Credentials could not be obtained=

> for cell <cell>.ibm.com.

There is no Kerberos v4 support on this system.  Therefore, you cannot
use krb524 as a token format translation method.

End of life for Kerberos v4 was announced in 2003 by MIT.  Kerberos v4
was not implemented for any new platforms after that announcement.  My
guess is that you are using a 64-bit Windows operating system for which
there is no Kerberos v4 support.

If that is the case, you will have to avoid installing 64-bit versions
of Kerberos and NetIdMgr and instead exclusively use the 32-bit versions
in conjunction with the OpenAFS 32-bit tools package.  That is the only
method by which Kerberos v4 support can be obtained from existing

Note that 3.2.2 is the last version of MIT Kerberos that will include
Kerberos v4 support at all.  The Heimdal Kerberos for Windows also will
have no Kerberos v4 support on any platform.

An alternative approach that IBM could pursue for this transition is to
implement a KAS identity provider for Network Identity Manager and use
that until such time as all of the AFS servers have been migrated from
IBM to OpenAFS.

Jeffrey Altman

Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

Version: GnuPG v1.4.9 (MingW32)