KfW 2.6 and NT Domains - Kerberos

This is a discussion on KfW 2.6 and NT Domains - Kerberos ; Hi! I'm back on 2.6 for production machines, but now I'm working on some testing XP clients. These clients are joined to a NT domain (a Samba 3 NT domain) with roaming profile. Samba username and password match the corresponding ...

+ Reply to Thread
Results 1 to 4 of 4

Thread: KfW 2.6 and NT Domains

  1. KfW 2.6 and NT Domains

    Hi!

    I'm back on 2.6 for production machines, but now I'm working on some
    testing XP clients. These clients are joined to a NT domain (a Samba 3
    NT domain) with roaming profile. Samba username and password match the
    corresponding MIT principal.

    I expected to have an integrated logon gaining the kerberos ticket as
    if it were a local user, but unfortunately, leash comes up asking for
    principal and password.

    Moreover, there's a weird behavior. The AFS integrated logon works like
    a charm gaining the token for a user without any password, both a local
    one and a NT domain user with a roaming profile. Still leash doesn't
    show any ticket, but only the AFS token. Note that I'm not running
    kaserver, but a pure MIT KDC.

    Am I missing something really obvious?

    Thanks to anyone!

    --
    Sensei

    The optimist thinks this is the best of all possible worlds.
    The pessimist fears it is true. [J. Robert Oppenheimer]


  2. Re: KfW 2.6 and NT Domains

    Sensei wrote:
    > Hi!
    >
    > I'm back on 2.6 for production machines, but now I'm working on some
    > testing XP clients. These clients are joined to a NT domain (a Samba 3
    > NT domain) with roaming profile. Samba username and password match the
    > corresponding MIT principal.


    NT4 domains do not use Kerberos and KFW 2.6.5 does not provide a
    Network Provider DLL for use in obtaining Kerberos tickets at logon.
    This feature was first introduced in KFW 3.0.

    > I expected to have an integrated logon gaining the kerberos ticket as if
    > it were a local user, but unfortunately, leash comes up asking for
    > principal and password.
    >
    > Moreover, there's a weird behavior. The AFS integrated logon works like
    > a charm gaining the token for a user without any password, both a local
    > one and a NT domain user with a roaming profile. Still leash doesn't
    > show any ticket, but only the AFS token. Note that I'm not running
    > kaserver, but a pure MIT KDC.
    >
    > Am I missing something really obvious?


    The OpenAFS for Windows Integrated Logon stores the Kerberos ticket
    in a cache named for the user principal. If the principal is

    joe@MY.COMPANY

    then the cache is

    API:joe@MY.COMPANY

    If you configure Leash to use that as the default ccache for the user
    I am sure you will see the tickets.

    Jeffrey Altman

  3. Re: KfW 2.6 and NT Domains

    On 2006-07-15 00:11:28 +0200, Jeffrey Altman said:

    > NT4 domains do not use Kerberos and KFW 2.6.5 does not provide a
    > Network Provider DLL for use in obtaining Kerberos tickets at logon.
    > This feature was first introduced in KFW 3.0.


    I see, but since it's buggy as you told me...

    > e OpenAFS for Windows Integrated Logon stores the Kerberos ticket
    > in a cache named for the user principal. If the principal is
    >
    > joe@MY.COMPANY
    >
    > then the cache is
    >
    > API:joe@MY.COMPANY
    >
    > If you configure Leash to use that as the default ccache for the user
    > I am sure you will see the tickets.


    Jeffery, I will investigate this, but it seems that even the TGT isn't
    there (using API: cache). I will take a look asap.

    --
    Sensei

    The optimist thinks this is the best of all possible worlds.
    The pessimist fears it is true. [J. Robert Oppenheimer]


  4. Re: KfW 2.6 and NT Domains

    Sensei wrote:
    > On 2006-07-15 00:11:28 +0200, Jeffrey Altman said:
    >
    >> NT4 domains do not use Kerberos and KFW 2.6.5 does not provide a
    >> Network Provider DLL for use in obtaining Kerberos tickets at logon.
    >> This feature was first introduced in KFW 3.0.

    >
    > I see, but since it's buggy as you told me...
    >
    >> e OpenAFS for Windows Integrated Logon stores the Kerberos ticket
    >> in a cache named for the user principal. If the principal is
    >>
    >> joe@MY.COMPANY
    >>
    >> then the cache is
    >>
    >> API:joe@MY.COMPANY
    >>
    >> If you configure Leash to use that as the default ccache for the user
    >> I am sure you will see the tickets.

    >
    > Jeffery, I will investigate this, but it seems that even the TGT isn't
    > there (using API: cache). I will take a look asap.


    "klist -C" will display for you all of the credential caches.

    Note that you haven't said what version of OpenAFS for Windows you
    are using. Not all OAFW releases support the functionality you need.
    The current releases do.

    If they are not working, then debug the integrated login functionality
    as documented in the OpenAFS for Windows Release Notes.

    Jeffrey Altman



+ Reply to Thread