[OpenAFS-win32-devel] Integrated Login Fails

Ben Fineman bfineman@internet2.edu
Fri, 06 Aug 2004 09:36:56 -0400 

Thanks for your help on this issue. The problem was two-fold: in the 
krb5.ini file, there was a hidden "^M" character following the domain 
realm entry (our mistake). This did not cause a formatting error but 
caused us to be unable to get tokens through the AFS client. Secondly, 
even with this corrected and being able to get tokens from the AFS 
client application, integrated logon still fails. We have concluded that 
this is due to the fact the we utilize "IBM Access Connections" to 
manage our network connections. Unfortunately, Access Connections does 
not start up the network interface until after logging on to Windows. We 
noticed the following in the afs-issues.txt file:

===
(13) AFS Integrated Logon:
(13b) If using Kerberos, need to figure out a means of passing credentials
      into the user space until such time as I finish the new credential
      cache service.
(13c) If network is not available must store the username and password 
      somewhere until such time as the network starts.
===

This suggests to me that this is a known issue, and as the client is 
written now integrated login will always fail if no network is available 
at logon time. We will hopefully look forward to this feature in a 
future release, however, we understand that this is a non-trivial 
problem as caching of Kerberos passwords would need to be done in a 
secure way.

Thanks for your help,
Ben

Jeffrey Altman wrote:

> Please double check that you do not have more than one version of KFW on
> your machine.  I can't think of anything obvious other then the wrong 
> libraries
> being loaded which would cause this problem.
>
> In particular, look for WSHELP32.DLL.  An old version of that file 
> could result
> in DNS lookup problems assuming you are relying on DNS for the Realm 
> to KDC
> mappings.
>
>
> Ben Fineman wrote:
>
>> Thanks for the response. I cannot obtain tokens using the AFS systray 
>> tool (as you probably suspected). It gives me the same "Cannot 
>> resolve network address for KDC in requested realm" error with the 
>> addition of "Error: -1765328164". I took a look at the krb5.ini file 
>> and can't see anything blatantly wrong. I can send you the contents 
>> of the file if that would be useful.
>>
>> Thanks,
>> Ben
>>