[OpenAFS] Integrated Windows Logon

Hugo Monteiro hugo.monteiro@fct.unl.pt
Mon, 09 May 2011 19:01:10 +0100 

On 05/09/2011 05:52 PM, Hugo Monteiro wrote:
> On 05/09/2011 05:18 PM, Hugo Monteiro wrote:
>> On 05/09/2011 03:25 PM, Jeffrey Altman wrote:
>>> Now I understand why aklog works for you but afscreds and afslogon do
>>> not.  aklog always tries the service principal afs/<cell>@<USER-REALM>
>>> first regardless of what the VLDB host to domain mapping resolves to.
>>>
>>> I would still like to see the output from nslookup for the AFSDB 
>>> records.
>>>
>>> Jeffrey Altman
>>>
>>
>>
>> Hi Jeffrey,
>>
>> I am assuming that the AFSDB records are to be specified under the 
>> dns zone that the client uses as its primary dns suffix. That said, 
>> and since the client dns suffix is oper.ci.fct.unl.pt,
>>
>>
>> ~$ dig -t AFSDB oper.ci.fct.unl.pt
>>
>> ; <<>> DiG 9.7.0-P1 <<>> -t AFSDB oper.ci.fct.unl.pt
>> ;; global options: +cmd
>> ;; Got answer:
>> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 501
>> ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0
>>
>> ;; QUESTION SECTION:
>> ;oper.ci.fct.unl.pt.        IN    AFSDB
>>
>> ;; ANSWER SECTION:
>> oper.ci.fct.unl.pt.    86400    IN    AFSDB    1 
>> staff-afs1.ci.fct.unl.pt.
>> oper.ci.fct.unl.pt.    86400    IN    AFSDB    2 
>> staff-afs2.ci.fct.unl.pt.
>>
>> ;; Query time: 3 msec
>> ;; SERVER: 10.130.16.34#53(10.130.16.34)
>> ;; WHEN: Mon May  9 17:10:27 2011
>> ;; MSG SIZE  rcvd: 116
>>
>>
>> Either way, i have also tried by specifying the servers under the 
>> CellServDB file, and the result was the same.
>>
>
>
> I also have the same type of records available for the zones 
> fct.unl.pt and staff.fct.unl.pt.
> This was my first approach, which upon rereading the docs seems the 
> appropriate one.
> I have disabled the dns views so you can check for the records yourself.
>
> Regards,
>
> Hugo Monteiro.
>
>


I just deployed a fresh 32 bit win7 install. Added the TheseCells 
configurations and appropriate krb5.ini file.
At logon it still doesn't get tokens for the second cell, but as soon as 
i issue aklog -d staff.fct.unl.pt in the command line it's able to get 
the tokens.

I'm in the process of deploying a fresh 64bit win7 install to replicate 
the same configuration.

I can tell you though that i can still see in my kdc that it's asking 
fot ktgt/STAFF.FCT.UNL.PT@FCT.UNL.PT when at logon time.

Regards,

Hugo Monteiro.

-- 
fct.unl.pt:~# cat .signature

Hugo Monteiro
Email	 : hugo.monteiro@fct.unl.pt
Telefone : +351 212948300 Ext.15307
Web      : http://hmonteiro.net

Divisão de Informática
Faculdade de Ciências e Tecnologia da
		   Universidade Nova de Lisboa
Quinta da Torre   2829-516 Caparica   Portugal
Telefone: +351 212948596   Fax: +351 212948548
www.fct.unl.pt                apoio@fct.unl.pt

fct.unl.pt:~# _