[OpenAFS] what is the state of the art client setup for openafs
+ krb5 + windows
Fri, 11 Apr 2014 11:35:32 -0500
We run recent 1.7 clients on our Windows 7 64-bit and Server 2008R2
computers along with MIT KFW 3.2.2, and we use the integrated login.
Our setup is perhaps a little different than most, but we use alternate
security identities at our site. For a user "username":
cs.wisc.edu AFS cell name
username@CS.WISC.EDU kerberos principal
username@AD.CS.WISC.EDU Windows domain user
All passwords for users are in the kerberos domain, and a kerberos trust
between the MIT KDC and domain controllers is in place. The Windows
user has an "altSecurityIdentities" entry set pointed at
This setup will fetch a kerberos ticket from the MIT KDC at login, and
that ticket is used to get an AFS token during login with integrated
login enabled. It has worked quite well for our site.
Documentation from Microsoft for how to set this up was originally
written for Windows 2000 (?!), but it still seems to work fine with
encryption types need to be enabled in group policy to allow DES
principals to authenticate and obtain an AFS token.
UW-Madison Computer Sciences
On 04/10/2014 03:34 AM, Gergely Risko wrote:
> In my cell, I use Heimdal + OpenAFS fileserver on linux.
> I only enabled krb5, the only keytype for my afs principal is
> aes256-cts-hmac-sha1-96. Everything works great on linux clients with
> the usual kinit from heimdal, they even get tokens automatically. For
> MIT clients I have to run an extra aklog, but that's OK. MacOS works
> too out of the box.
> My question is about Windows: what is the currently recommeneded
> practice on windows clients for this kind of KRB5 only installations? I
> managed to get it working with some combination of MIT kerberos for
> windows and openafs 1.7, but it involves the user calling kinit and
> aklog in the command line. This is ugly, because the user has to know,
> that the graphical password input window is useless and should be ignored.
> So, what exact binaries do you guys download and use on Windows 7 to get
> graphical kerberos password prompt and openafs tokens?
> OpenAFS-info mailing list