[OpenAFS] Integrated Windows Logon

Hugo Monteiro hugo.monteiro@fct.unl.pt
Tue, 10 May 2011 12:55:42 +0100


On 05/09/2011 08:04 PM, Jeffrey Altman wrote:
> On 5/9/2011 2:50 PM, Hugo Monteiro wrote:
>
>> The bad news is that even after i change that, i only get tokens for the
>> first cell at logon time. The good news is that right now i am able to
>> get the missing tokens by issuing aklog in the windows domain logon
>> script, which apparently runs only after the afs client has gotten the
>> tokens for the first cell. The problem is still there, but at least i
>> managed to go around it. A permanent fix would be nice though...
> http://gerrit.openafs.org/#change,4633
>


Hi Jeffrey,


I've just tried 1.5.7600, from git, and it still didn't work. The kdc 
log shows the following:




--- snip ---

2011-05-10T12:45:47 AS-REQ someuser@FCT.UNL.PT from IPv4:10.130.32.38 
for krbtgt/FCT.UNL.PT@FCT.UNL.PT
2011-05-10T12:45:47 No preauth found, returning PREAUTH-REQUIRED -- 
someuser@FCT.UNL.PT
2011-05-10T12:45:47 sending 257 bytes to IPv4:10.130.32.38
2011-05-10T12:45:48 AS-REQ someuser@FCT.UNL.PT from IPv4:10.130.32.38 
for krbtgt/FCT.UNL.PT@FCT.UNL.PT
2011-05-10T12:45:48 Client sent patypes: encrypted-timestamp
2011-05-10T12:45:48 Looking for PKINIT pa-data -- someuser@FCT.UNL.PT
2011-05-10T12:45:48 Looking for ENC-TS pa-data -- someuser@FCT.UNL.PT
2011-05-10T12:45:48 ENC-TS Pre-authentication succeeded -- 
someuser@FCT.UNL.PT using aes256-cts-hmac-sha1-96
2011-05-10T12:45:48 AS-REQ authtime: 2011-05-10T12:45:48 starttime: 
unset endtime: 2011-05-10T22:45:48 renew till: 2011-05-17T12:45:48
2011-05-10T12:45:48 Client supported enctypes: aes256-cts-hmac-sha1-96, 
aes128-cts-hmac-sha1-96, des3-cbc-sha1, arcfour-hmac-md5, des-cbc-crc, 
des-cbc-md5, des-cbc-md4, using 
aes256-cts-hmac-sha1-96/aes256-cts-hmac-sha1-96
2011-05-10T12:45:48 Requested flags: renewable, forwardable
2011-05-10T12:45:48 sending 672 bytes to IPv4:10.130.32.38
2011-05-10T12:45:48 AS-REQ someuser@FCT.UNL.PT from IPv4:10.130.32.38 
for krbtgt/FCT.UNL.PT@FCT.UNL.PT
2011-05-10T12:45:48 No preauth found, returning PREAUTH-REQUIRED -- 
someuser@FCT.UNL.PT
2011-05-10T12:45:48 sending 257 bytes to IPv4:10.130.32.38
2011-05-10T12:45:48 AS-REQ someuser@FCT.UNL.PT from IPv4:10.130.32.38 
for krbtgt/FCT.UNL.PT@FCT.UNL.PT
2011-05-10T12:45:48 Client sent patypes: encrypted-timestamp
2011-05-10T12:45:48 Looking for PKINIT pa-data -- someuser@FCT.UNL.PT
2011-05-10T12:45:48 Looking for ENC-TS pa-data -- someuser@FCT.UNL.PT
2011-05-10T12:45:48 ENC-TS Pre-authentication succeeded -- 
someuser@FCT.UNL.PT using aes256-cts-hmac-sha1-96
2011-05-10T12:45:48 AS-REQ authtime: 2011-05-10T12:45:48 starttime: 
unset endtime: 2011-05-11T12:45:49 renew till: 2011-05-11T12:45:49
2011-05-10T12:45:48 Client supported enctypes: aes256-cts-hmac-sha1-96, 
aes128-cts-hmac-sha1-96, des3-cbc-sha1, arcfour-hmac-md5, des-cbc-crc, 
des-cbc-md5, des-cbc-md4, using 
aes256-cts-hmac-sha1-96/aes256-cts-hmac-sha1-96
2011-05-10T12:45:48 Requested flags: renewable
2011-05-10T12:45:48 sending 672 bytes to IPv4:10.130.32.38
2011-05-10T12:45:49 TGS-REQ someuser@FCT.UNL.PT from IPv4:10.130.32.38 
for afs/fct.unl.pt@FCT.UNL.PT [canonicalize, renewable]
2011-05-10T12:45:49 TGS-REQ authtime: 2011-05-10T12:45:48 starttime: 
2011-05-10T12:45:49 endtime: 2011-05-11T12:45:49 renew till: unset
2011-05-10T12:45:49 sending 570 bytes to IPv4:10.130.32.38
2011-05-10T12:45:50 AS-REQ someuser@FCT.UNL.PT from IPv4:10.130.32.38 
for krbtgt/FCT.UNL.PT@FCT.UNL.PT
2011-05-10T12:45:50 No preauth found, returning PREAUTH-REQUIRED -- 
someuser@FCT.UNL.PT
2011-05-10T12:45:50 sending 257 bytes to IPv4:10.130.32.38
2011-05-10T12:45:51 AS-REQ someuser@FCT.UNL.PT from IPv4:10.130.32.38 
for krbtgt/FCT.UNL.PT@FCT.UNL.PT
2011-05-10T12:45:51 Client sent patypes: encrypted-timestamp
2011-05-10T12:45:51 Looking for PKINIT pa-data -- someuser@FCT.UNL.PT
2011-05-10T12:45:51 Looking for ENC-TS pa-data -- someuser@FCT.UNL.PT
2011-05-10T12:45:51 ENC-TS Pre-authentication succeeded -- 
someuser@FCT.UNL.PT using aes256-cts-hmac-sha1-96
2011-05-10T12:45:51 AS-REQ authtime: 2011-05-10T12:45:51 starttime: 
unset endtime: 2011-05-11T12:45:51 renew till: 2011-05-11T12:45:51
2011-05-10T12:45:51 Client supported enctypes: aes256-cts-hmac-sha1-96, 
aes128-cts-hmac-sha1-96, des3-cbc-sha1, arcfour-hmac-md5, des-cbc-crc, 
des-cbc-md5, des-cbc-md4, using 
aes256-cts-hmac-sha1-96/aes256-cts-hmac-sha1-96
2011-05-10T12:45:51 Requested flags: renewable
2011-05-10T12:45:51 sending 672 bytes to IPv4:10.130.32.38
2011-05-10T12:45:51 TGS-REQ someuser@FCT.UNL.PT from IPv4:10.130.32.38 
for krbtgt/STAFF.FCT.UNL.PT@FCT.UNL.PT [renewable]
2011-05-10T12:45:51 Server not found in database: 
krbtgt/STAFF.FCT.UNL.PT@FCT.UNL.PT: no such entry found in hdb
2011-05-10T12:45:51 Failed building TGS-REP to IPv4:10.130.32.38
2011-05-10T12:45:51 sending 105 bytes to IPv4:10.130.32.38
2011-05-10T12:45:51 TGS-REQ someuser@FCT.UNL.PT from IPv4:10.130.32.38 
for krbtgt/STAFF.FCT.UNL.PT@FCT.UNL.PT [renewable]
2011-05-10T12:45:51 Server not found in database: 
krbtgt/STAFF.FCT.UNL.PT@FCT.UNL.PT: no such entry found in hdb
2011-05-10T12:45:51 Failed building TGS-REP to IPv4:10.130.32.38
2011-05-10T12:45:51 sending 107 bytes to IPv4:10.130.32.38
2011-05-10T12:45:57 TGS-REQ someuser@FCT.UNL.PT from IPv4:10.130.32.38 
for krbtgt/FCT.UNL.PT@FCT.UNL.PT [renew, canonicalize, renewable, 
forwardable]
2011-05-10T12:45:57 TGS-REQ authtime: 2011-05-10T12:45:48 starttime: 
2011-05-10T12:45:57 endtime: 2011-05-10T22:45:57 renew till: 
2011-05-17T12:45:48
2011-05-10T12:45:57 sending 680 bytes to IPv4:10.130.32.38
2011-05-10T12:45:58 TGS-REQ someuser@FCT.UNL.PT from IPv4:10.130.32.38 
for krbtgt/FCT.UNL.PT@FCT.UNL.PT [canonicalize, renewable, forwardable]
2011-05-10T12:45:58 Server (krbtgt/FCT.UNL.PT@FCT.UNL.PT) has no support 
for etypes
2011-05-10T12:45:58 Failed building TGS-REP to IPv4:10.130.32.38
2011-05-10T12:45:58 sending 107 bytes to IPv4:10.130.32.38
2011-05-10T12:45:58 TGS-REQ someuser@FCT.UNL.PT from IPv4:10.130.32.38 
for krbtgt/FCT.UNL.PT@FCT.UNL.PT [renewable, forwardable]
2011-05-10T12:45:58 Server (krbtgt/FCT.UNL.PT@FCT.UNL.PT) has no support 
for etypes
2011-05-10T12:45:58 Failed building TGS-REP to IPv4:10.130.32.38
2011-05-10T12:45:58 sending 107 bytes to IPv4:10.130.32.38
2011-05-10T12:45:58 TGS-REQ someuser@FCT.UNL.PT from IPv4:10.130.32.38 
for afs/fct.unl.pt@FCT.UNL.PT [canonicalize, renewable, forwardable]
2011-05-10T12:45:59 TGS-REQ authtime: 2011-05-10T12:45:48 starttime: 
2011-05-10T12:45:58 endtime: 2011-05-10T22:45:57 renew till: 
2011-05-17T12:45:48
2011-05-10T12:45:59 sending 605 bytes to IPv4:10.130.32.38

--- snip ---


Has you can see, there are several requests for 
krbtgt/STAFF.FCT.UNL.PT@FCT.UNL.PT, which doesn't exist. But the bad 
part is that i don't see a single request for 
afs/staff.fct.unl.pt@FCT.UNL.PT.
It seems as, in the end, it starts repeating the queries for fct.unl.pt 
cell, instead of trying the second cell staff.fct.unl.pt.

If i'm dead wrong, just tell me to shut up :)

Please advise.


Regards,

Hugo Monteiro.

-- 
fct.unl.pt:~# cat .signature

Hugo Monteiro
Email	 : hugo.monteiro@fct.unl.pt
Telefone : +351 212948300 Ext.15307
Web      : http://hmonteiro.net

Divisão de Informática
Faculdade de Ciências e Tecnologia da
		   Universidade Nova de Lisboa
Quinta da Torre   2829-516 Caparica   Portugal
Telefone: +351 212948596   Fax: +351 212948548
www.fct.unl.pt                apoio@fct.unl.pt

fct.unl.pt:~# _