[OpenAFS] Integrated Windows Logon

Hugo Monteiro hugo.monteiro@fct.unl.pt
Fri, 06 May 2011 19:41:36 +0100 

On 05/06/2011 07:12 PM, Hugo Monteiro wrote:
> On 05/06/2011 07:00 PM, Hugo Monteiro wrote:
>> On 05/06/2011 06:51 PM, Jeffrey Altman wrote:
>>> On 5/6/2011 1:46 PM, Hugo Monteiro wrote:
>>>
>>>> I have just tried with 1.6.0pre5 and it's still not working. :(
>>>>
>>>> Tokens for the first (default) cell arrive but it's failing again for
>>>> the second cell defined at TheseCells.
>>>>
>>>> Error now is
>>>>
>>>> KFW_AFS_get_cred  uname=[user@FCT.UNL.PT] smbname=[staff\user]
>>>> cell=[staff.fct.unl.pt] code=[-1765328377]
>>>>
>>>> Is it me that am overlooking anything?
>>> The error is KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN.  In other words, the KDC
>>> has reported that the service principal for 
>>> afs/staff.fct.unl.pt@<REALM>
>>> is not a recognized principal.
>>>
>>> Jeffrey Altman
>>>
>>
>>
>> Hi Jeffrey,
>>
>> The problem is that afs/staff.fct.unl.pt@FCT.UNL.PT is in fact a 
>> recognized principal.
>>
>> similarly, in a linux machine, in which i'm using the TheseCells 
>> parameter:
>>
>>
>> user@DIVINF-PC15:~$ kinit user
>> user@FCT.UNL.PT's Password:
>> user@DIVINF-PC15:~$ afslog
>> user@DIVINF-PC15:~$ klist
>> Credentials cache: FILE:/tmp/krb5cc_1000
>>         Principal: user@FCT.UNL.PT
>>
>>   Issued           Expires          Principal
>> May  6 18:56:26  May  7 04:56:25  krbtgt/FCT.UNL.PT@FCT.UNL.PT
>> May  6 18:56:26  May  7 04:56:25  afs/fct.unl.pt@FCT.UNL.PT
>> May  6 18:56:26  May  7 04:56:25  afs/staff.fct.unl.pt@FCT.UNL.PT
>>
>> user@DIVINF-PC15:~$ tokens
>>
>> Tokens held by the Cache Manager:
>>
>> User's (AFS ID 1000) tokens for afs@staff.fct.unl.pt [Expires May  7 
>> 04:59]
>> User's (AFS ID 1000) tokens for afs@fct.unl.pt [Expires May  7 04:59]
>>    --End of list--
>>
>>
>> ... and thanks for the swift reply.
>>
>> Regards,
>>
>> Hugo Monteiro.
>>
>
>
> Hello again,
>
>
> I've looked into the kdc's log and i found something interesting.
>
> Apparently, and although i've set the realm FCT.UNL.PT to be used with 
> the second cell staff.fct.unl.pt, it's trying to get the principal 
> krbtgt/STAFF.FCT.UNL.PT@FCT.UNL.PT which in fact does not exist.
> Shouldn't it only be using the principal krbtgt/FCT.UNL.PT@FCT.UNL.PT 
> (there's only one REALM after all) instead of trying them both?
>
> Regards,
>
> Hugo Monteiro.
>


Me, again,


I should also mention that i have set the following keys


[HKEY_LOCAL_MACHINE\SOFTWARE\OpenAFS\Client\Realms]

[HKEY_LOCAL_MACHINE\SOFTWARE\OpenAFS\Client\Realms\FCT.UNL.PT]

[HKEY_LOCAL_MACHINE\SOFTWARE\OpenAFS\Client\Realms\FCT.UNL.PT\fct.unl.pt]
"MethodName"="Kerberos5"
"Realm"="FCT.UNL.PT"

[HKEY_LOCAL_MACHINE\SOFTWARE\OpenAFS\Client\Realms\FCT.UNL.PT\staff.fct.unl.pt]
"MethodName"="Kerberos5"
"Realm"="FCT.UNL.PT"


That said, i would expect that only realm FCT.UNL.PT (and it's 
principals) would be queried.


Please advise.

Regards,

Hugo Monteiro.


-- 
fct.unl.pt:~# cat .signature

Hugo Monteiro
Email	 : hugo.monteiro@fct.unl.pt
Telefone : +351 212948300 Ext.15307
Web      : http://hmonteiro.net

Divisão de Informática
Faculdade de Ciências e Tecnologia da
		   Universidade Nova de Lisboa
Quinta da Torre   2829-516 Caparica   Portugal
Telefone: +351 212948596   Fax: +351 212948548
www.fct.unl.pt                apoio@fct.unl.pt

fct.unl.pt:~# _