[OpenAFS] Integrated Windows Logon
Hugo Monteiro
hugo.monteiro@fct.unl.pt
Tue, 10 May 2011 12:55:42 +0100
On 05/09/2011 08:04 PM, Jeffrey Altman wrote:
> On 5/9/2011 2:50 PM, Hugo Monteiro wrote:
>
>> The bad news is that even after i change that, i only get tokens for the
>> first cell at logon time. The good news is that right now i am able to
>> get the missing tokens by issuing aklog in the windows domain logon
>> script, which apparently runs only after the afs client has gotten the
>> tokens for the first cell. The problem is still there, but at least i
>> managed to go around it. A permanent fix would be nice though...
> http://gerrit.openafs.org/#change,4633
>
Hi Jeffrey,
I've just tried 1.5.7600, from git, and it still didn't work. The kdc
log shows the following:
--- snip ---
2011-05-10T12:45:47 AS-REQ someuser@FCT.UNL.PT from IPv4:10.130.32.38
for krbtgt/FCT.UNL.PT@FCT.UNL.PT
2011-05-10T12:45:47 No preauth found, returning PREAUTH-REQUIRED --
someuser@FCT.UNL.PT
2011-05-10T12:45:47 sending 257 bytes to IPv4:10.130.32.38
2011-05-10T12:45:48 AS-REQ someuser@FCT.UNL.PT from IPv4:10.130.32.38
for krbtgt/FCT.UNL.PT@FCT.UNL.PT
2011-05-10T12:45:48 Client sent patypes: encrypted-timestamp
2011-05-10T12:45:48 Looking for PKINIT pa-data -- someuser@FCT.UNL.PT
2011-05-10T12:45:48 Looking for ENC-TS pa-data -- someuser@FCT.UNL.PT
2011-05-10T12:45:48 ENC-TS Pre-authentication succeeded --
someuser@FCT.UNL.PT using aes256-cts-hmac-sha1-96
2011-05-10T12:45:48 AS-REQ authtime: 2011-05-10T12:45:48 starttime:
unset endtime: 2011-05-10T22:45:48 renew till: 2011-05-17T12:45:48
2011-05-10T12:45:48 Client supported enctypes: aes256-cts-hmac-sha1-96,
aes128-cts-hmac-sha1-96, des3-cbc-sha1, arcfour-hmac-md5, des-cbc-crc,
des-cbc-md5, des-cbc-md4, using
aes256-cts-hmac-sha1-96/aes256-cts-hmac-sha1-96
2011-05-10T12:45:48 Requested flags: renewable, forwardable
2011-05-10T12:45:48 sending 672 bytes to IPv4:10.130.32.38
2011-05-10T12:45:48 AS-REQ someuser@FCT.UNL.PT from IPv4:10.130.32.38
for krbtgt/FCT.UNL.PT@FCT.UNL.PT
2011-05-10T12:45:48 No preauth found, returning PREAUTH-REQUIRED --
someuser@FCT.UNL.PT
2011-05-10T12:45:48 sending 257 bytes to IPv4:10.130.32.38
2011-05-10T12:45:48 AS-REQ someuser@FCT.UNL.PT from IPv4:10.130.32.38
for krbtgt/FCT.UNL.PT@FCT.UNL.PT
2011-05-10T12:45:48 Client sent patypes: encrypted-timestamp
2011-05-10T12:45:48 Looking for PKINIT pa-data -- someuser@FCT.UNL.PT
2011-05-10T12:45:48 Looking for ENC-TS pa-data -- someuser@FCT.UNL.PT
2011-05-10T12:45:48 ENC-TS Pre-authentication succeeded --
someuser@FCT.UNL.PT using aes256-cts-hmac-sha1-96
2011-05-10T12:45:48 AS-REQ authtime: 2011-05-10T12:45:48 starttime:
unset endtime: 2011-05-11T12:45:49 renew till: 2011-05-11T12:45:49
2011-05-10T12:45:48 Client supported enctypes: aes256-cts-hmac-sha1-96,
aes128-cts-hmac-sha1-96, des3-cbc-sha1, arcfour-hmac-md5, des-cbc-crc,
des-cbc-md5, des-cbc-md4, using
aes256-cts-hmac-sha1-96/aes256-cts-hmac-sha1-96
2011-05-10T12:45:48 Requested flags: renewable
2011-05-10T12:45:48 sending 672 bytes to IPv4:10.130.32.38
2011-05-10T12:45:49 TGS-REQ someuser@FCT.UNL.PT from IPv4:10.130.32.38
for afs/fct.unl.pt@FCT.UNL.PT [canonicalize, renewable]
2011-05-10T12:45:49 TGS-REQ authtime: 2011-05-10T12:45:48 starttime:
2011-05-10T12:45:49 endtime: 2011-05-11T12:45:49 renew till: unset
2011-05-10T12:45:49 sending 570 bytes to IPv4:10.130.32.38
2011-05-10T12:45:50 AS-REQ someuser@FCT.UNL.PT from IPv4:10.130.32.38
for krbtgt/FCT.UNL.PT@FCT.UNL.PT
2011-05-10T12:45:50 No preauth found, returning PREAUTH-REQUIRED --
someuser@FCT.UNL.PT
2011-05-10T12:45:50 sending 257 bytes to IPv4:10.130.32.38
2011-05-10T12:45:51 AS-REQ someuser@FCT.UNL.PT from IPv4:10.130.32.38
for krbtgt/FCT.UNL.PT@FCT.UNL.PT
2011-05-10T12:45:51 Client sent patypes: encrypted-timestamp
2011-05-10T12:45:51 Looking for PKINIT pa-data -- someuser@FCT.UNL.PT
2011-05-10T12:45:51 Looking for ENC-TS pa-data -- someuser@FCT.UNL.PT
2011-05-10T12:45:51 ENC-TS Pre-authentication succeeded --
someuser@FCT.UNL.PT using aes256-cts-hmac-sha1-96
2011-05-10T12:45:51 AS-REQ authtime: 2011-05-10T12:45:51 starttime:
unset endtime: 2011-05-11T12:45:51 renew till: 2011-05-11T12:45:51
2011-05-10T12:45:51 Client supported enctypes: aes256-cts-hmac-sha1-96,
aes128-cts-hmac-sha1-96, des3-cbc-sha1, arcfour-hmac-md5, des-cbc-crc,
des-cbc-md5, des-cbc-md4, using
aes256-cts-hmac-sha1-96/aes256-cts-hmac-sha1-96
2011-05-10T12:45:51 Requested flags: renewable
2011-05-10T12:45:51 sending 672 bytes to IPv4:10.130.32.38
2011-05-10T12:45:51 TGS-REQ someuser@FCT.UNL.PT from IPv4:10.130.32.38
for krbtgt/STAFF.FCT.UNL.PT@FCT.UNL.PT [renewable]
2011-05-10T12:45:51 Server not found in database:
krbtgt/STAFF.FCT.UNL.PT@FCT.UNL.PT: no such entry found in hdb
2011-05-10T12:45:51 Failed building TGS-REP to IPv4:10.130.32.38
2011-05-10T12:45:51 sending 105 bytes to IPv4:10.130.32.38
2011-05-10T12:45:51 TGS-REQ someuser@FCT.UNL.PT from IPv4:10.130.32.38
for krbtgt/STAFF.FCT.UNL.PT@FCT.UNL.PT [renewable]
2011-05-10T12:45:51 Server not found in database:
krbtgt/STAFF.FCT.UNL.PT@FCT.UNL.PT: no such entry found in hdb
2011-05-10T12:45:51 Failed building TGS-REP to IPv4:10.130.32.38
2011-05-10T12:45:51 sending 107 bytes to IPv4:10.130.32.38
2011-05-10T12:45:57 TGS-REQ someuser@FCT.UNL.PT from IPv4:10.130.32.38
for krbtgt/FCT.UNL.PT@FCT.UNL.PT [renew, canonicalize, renewable,
forwardable]
2011-05-10T12:45:57 TGS-REQ authtime: 2011-05-10T12:45:48 starttime:
2011-05-10T12:45:57 endtime: 2011-05-10T22:45:57 renew till:
2011-05-17T12:45:48
2011-05-10T12:45:57 sending 680 bytes to IPv4:10.130.32.38
2011-05-10T12:45:58 TGS-REQ someuser@FCT.UNL.PT from IPv4:10.130.32.38
for krbtgt/FCT.UNL.PT@FCT.UNL.PT [canonicalize, renewable, forwardable]
2011-05-10T12:45:58 Server (krbtgt/FCT.UNL.PT@FCT.UNL.PT) has no support
for etypes
2011-05-10T12:45:58 Failed building TGS-REP to IPv4:10.130.32.38
2011-05-10T12:45:58 sending 107 bytes to IPv4:10.130.32.38
2011-05-10T12:45:58 TGS-REQ someuser@FCT.UNL.PT from IPv4:10.130.32.38
for krbtgt/FCT.UNL.PT@FCT.UNL.PT [renewable, forwardable]
2011-05-10T12:45:58 Server (krbtgt/FCT.UNL.PT@FCT.UNL.PT) has no support
for etypes
2011-05-10T12:45:58 Failed building TGS-REP to IPv4:10.130.32.38
2011-05-10T12:45:58 sending 107 bytes to IPv4:10.130.32.38
2011-05-10T12:45:58 TGS-REQ someuser@FCT.UNL.PT from IPv4:10.130.32.38
for afs/fct.unl.pt@FCT.UNL.PT [canonicalize, renewable, forwardable]
2011-05-10T12:45:59 TGS-REQ authtime: 2011-05-10T12:45:48 starttime:
2011-05-10T12:45:58 endtime: 2011-05-10T22:45:57 renew till:
2011-05-17T12:45:48
2011-05-10T12:45:59 sending 605 bytes to IPv4:10.130.32.38
--- snip ---
Has you can see, there are several requests for
krbtgt/STAFF.FCT.UNL.PT@FCT.UNL.PT, which doesn't exist. But the bad
part is that i don't see a single request for
afs/staff.fct.unl.pt@FCT.UNL.PT.
It seems as, in the end, it starts repeating the queries for fct.unl.pt
cell, instead of trying the second cell staff.fct.unl.pt.
If i'm dead wrong, just tell me to shut up :)
Please advise.
Regards,
Hugo Monteiro.
--
fct.unl.pt:~# cat .signature
Hugo Monteiro
Email : hugo.monteiro@fct.unl.pt
Telefone : +351 212948300 Ext.15307
Web : http://hmonteiro.net
Divisão de Informática
Faculdade de Ciências e Tecnologia da
Universidade Nova de Lisboa
Quinta da Torre 2829-516 Caparica Portugal
Telefone: +351 212948596 Fax: +351 212948548
www.fct.unl.pt apoio@fct.unl.pt
fct.unl.pt:~# _