[OpenAFS] Integrated Windows Logon
Fri, 06 May 2011 19:41:36 +0100
On 05/06/2011 07:12 PM, Hugo Monteiro wrote:
> On 05/06/2011 07:00 PM, Hugo Monteiro wrote:
>> On 05/06/2011 06:51 PM, Jeffrey Altman wrote:
>>> On 5/6/2011 1:46 PM, Hugo Monteiro wrote:
>>>> I have just tried with 1.6.0pre5 and it's still not working. :(
>>>> Tokens for the first (default) cell arrive but it's failing again for
>>>> the second cell defined at TheseCells.
>>>> Error now is
>>>> KFW_AFS_get_cred uname=[user@FCT.UNL.PT] smbname=[staff\user]
>>>> cell=[staff.fct.unl.pt] code=[-1765328377]
>>>> Is it me that am overlooking anything?
>>> The error is KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN. In other words, the KDC
>>> has reported that the service principal for
>>> is not a recognized principal.
>>> Jeffrey Altman
>> Hi Jeffrey,
>> The problem is that afs/staff.fct.unl.pt@FCT.UNL.PT is in fact a
>> recognized principal.
>> similarly, in a linux machine, in which i'm using the TheseCells
>> user@DIVINF-PC15:~$ kinit user
>> user@FCT.UNL.PT's Password:
>> user@DIVINF-PC15:~$ afslog
>> user@DIVINF-PC15:~$ klist
>> Credentials cache: FILE:/tmp/krb5cc_1000
>> Principal: user@FCT.UNL.PT
>> Issued Expires Principal
>> May 6 18:56:26 May 7 04:56:25 krbtgt/FCT.UNL.PT@FCT.UNL.PT
>> May 6 18:56:26 May 7 04:56:25 afs/fct.unl.pt@FCT.UNL.PT
>> May 6 18:56:26 May 7 04:56:25 afs/staff.fct.unl.pt@FCT.UNL.PT
>> user@DIVINF-PC15:~$ tokens
>> Tokens held by the Cache Manager:
>> User's (AFS ID 1000) tokens for firstname.lastname@example.org [Expires May 7
>> User's (AFS ID 1000) tokens for email@example.com [Expires May 7 04:59]
>> --End of list--
>> ... and thanks for the swift reply.
>> Hugo Monteiro.
> Hello again,
> I've looked into the kdc's log and i found something interesting.
> Apparently, and although i've set the realm FCT.UNL.PT to be used with
> the second cell staff.fct.unl.pt, it's trying to get the principal
> krbtgt/STAFF.FCT.UNL.PT@FCT.UNL.PT which in fact does not exist.
> Shouldn't it only be using the principal krbtgt/FCT.UNL.PT@FCT.UNL.PT
> (there's only one REALM after all) instead of trying them both?
> Hugo Monteiro.
I should also mention that i have set the following keys
That said, i would expect that only realm FCT.UNL.PT (and it's
principals) would be queried.
fct.unl.pt:~# cat .signature
Email : firstname.lastname@example.org
Telefone : +351 212948300 Ext.15307
Web : http://hmonteiro.net
Divisão de Informática
Faculdade de Ciências e Tecnologia da
Universidade Nova de Lisboa
Quinta da Torre 2829-516 Caparica Portugal
Telefone: +351 212948596 Fax: +351 212948548