[OpenAFS] Integrated Windows Logon

Hugo Monteiro hugo.monteiro@fct.unl.pt
Fri, 06 May 2011 19:12:37 +0100 

On 05/06/2011 07:00 PM, Hugo Monteiro wrote:
> On 05/06/2011 06:51 PM, Jeffrey Altman wrote:
>> On 5/6/2011 1:46 PM, Hugo Monteiro wrote:
>>
>>> I have just tried with 1.6.0pre5 and it's still not working. :(
>>>
>>> Tokens for the first (default) cell arrive but it's failing again for
>>> the second cell defined at TheseCells.
>>>
>>> Error now is
>>>
>>> KFW_AFS_get_cred  uname=[user@FCT.UNL.PT] smbname=[staff\user]
>>> cell=[staff.fct.unl.pt] code=[-1765328377]
>>>
>>> Is it me that am overlooking anything?
>> The error is KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN.  In other words, the KDC
>> has reported that the service principal for afs/staff.fct.unl.pt@<REALM>
>> is not a recognized principal.
>>
>> Jeffrey Altman
>>
>
>
> Hi Jeffrey,
>
> The problem is that afs/staff.fct.unl.pt@FCT.UNL.PT is in fact a 
> recognized principal.
>
> similarly, in a linux machine, in which i'm using the TheseCells 
> parameter:
>
>
> user@DIVINF-PC15:~$ kinit user
> user@FCT.UNL.PT's Password:
> user@DIVINF-PC15:~$ afslog
> user@DIVINF-PC15:~$ klist
> Credentials cache: FILE:/tmp/krb5cc_1000
>         Principal: user@FCT.UNL.PT
>
>   Issued           Expires          Principal
> May  6 18:56:26  May  7 04:56:25  krbtgt/FCT.UNL.PT@FCT.UNL.PT
> May  6 18:56:26  May  7 04:56:25  afs/fct.unl.pt@FCT.UNL.PT
> May  6 18:56:26  May  7 04:56:25  afs/staff.fct.unl.pt@FCT.UNL.PT
>
> user@DIVINF-PC15:~$ tokens
>
> Tokens held by the Cache Manager:
>
> User's (AFS ID 1000) tokens for afs@staff.fct.unl.pt [Expires May  7 
> 04:59]
> User's (AFS ID 1000) tokens for afs@fct.unl.pt [Expires May  7 04:59]
>    --End of list--
>
>
> ... and thanks for the swift reply.
>
> Regards,
>
> Hugo Monteiro.
>


Hello again,


I've looked into the kdc's log and i found something interesting.

Apparently, and although i've set the realm FCT.UNL.PT to be used with 
the second cell staff.fct.unl.pt, it's trying to get the principal 
krbtgt/STAFF.FCT.UNL.PT@FCT.UNL.PT which in fact does not exist.
Shouldn't it only be using the principal krbtgt/FCT.UNL.PT@FCT.UNL.PT 
(there's only one REALM after all) instead of trying them both?

Regards,

Hugo Monteiro.

-- 
fct.unl.pt:~# cat .signature

Hugo Monteiro
Email	 : hugo.monteiro@fct.unl.pt
Telefone : +351 212948300 Ext.15307
Web      : http://hmonteiro.net

Divisão de Informática
Faculdade de Ciências e Tecnologia da
		   Universidade Nova de Lisboa
Quinta da Torre   2829-516 Caparica   Portugal
Telefone: +351 212948596   Fax: +351 212948548
www.fct.unl.pt                apoio@fct.unl.pt

fct.unl.pt:~# _