[OpenAFS] AFS client -> Windows server w/AD & KDC -> Linux AFS servers

Mickey Lane mlane@sinenomine.net
Thu, 26 May 2011 08:43:03 -0500

> On 26.05.2011 12:31, Mickey Lane wrote:
> > Hi,
> >
> > I want an AFS client (Windows or Linux) to get kerberos credentials
> from a Windows Server and use them to access AFS servers on a Linux
> machine. The Linux machine does not have a KDC.
> >
> > Although I haven't personally tried it, I'm under the impression this
> works without too many AD configuration issues with Server 2003.
> > I'm also under the impression it works with Server 2008 R2 once DES
> is enabled.
> >
> > I currently have 2008 Standard (not R2) configured to provide tickets
> and I've moved the keytab to the Linux machine, etc. The process
> *appears* to work but the credentials are invalid. Kvno numbers are
> correct. I think the problem is improper encryption types.
> >
> > I'm aware of a Microsoft update to 64-bit Server 2008 that is related
> to password corruption in this process.
> >
> > My question: Has anyone ever made this work on Server 2008 Standard
> (not R2)?
Lars Schimmer wrote:

> I know it works on Win 20008 Standard, but I do run 2008R2 for AD
> services including krb5 auth for users on linux clients.
> My selfnotes are here to be read:

I have seen this document. It mentions "Server 2003 SP2" in the first few
lines so I didn't pay much attention to it as I was/am interested in Server
2008 (not-R2).

Under the section for 2008 R2, the instruction to add a registry value
KdcUseRequestedEtypesForTicket definitely helped with the encryption types
on Server 2008 (not-R2).

Now I appear to have kvno issues again. On both Linux and Windows clients:

C:\OpenAFS>kvno host/server64.mickeylane.com
host/server64.mickeylane.com@MICKEYLANE.COM: kvno =3D 4

I use Network Identity Manager (NIM) to get credentials on a Windows 7

The property page for afs/test.mickeylane.com@MICKEYLANE.COM
shows kvno #5. The page for krbtgt/MICKEYLANE.COM@MICKEYLANE.COM
shows kvno #2.