On 1/26/2012 2:26 PM, John Tang Boyland wrote: > I had several students dutifully download OpenAFS 1.7.4 and Heimdal KfW > (as recommended) and then NetworkIdentityManager v2 (three separate > downloads and installs) only to have NIM say that it can't get AFS > tokens.
Currently shipping versions of OpenAFS do not have native support for Heimdal. They access Heimdal via the MIT KFW compatibility APIs which do not provide the ability to enable weak crypto for a single ticket request. All of the code has been written and sitting on 'master' but until I am satisfied with the performance and reliability of the afs redirector in 1.7.x I will not be spending the time to pull it up. Once the native Heimdal support is added to 1.7.x the allow_weak_crypto configuration will not be required. The reason that there are three separate installers is that each product is independent. They each have a separate development road map and development teams. > After a lot of searching (searching C:\ takes a LONG time!), I found > krb5.conf in C:\ProgramData\Kerberos but being a system file, it > couldn't be edited. It is not a system file. It is however a configuration file that cannot be edited without Administrator privileges. This is true for all of \ProgramData and \Program Files and is not specific to Heimdal. Run notepad.exe as Administrator. > Finally with one student, he was able to make it so > we could save our changes, but then NIM didn't work at ALL (and "kinit" > in the command window gave error 22: couldn't initialize the context). > Even removing allow_weak_crypto again still didn't solve the problem so > we removed the file and reinstalled, this time with MIT KfW (64 bit from > secure endpoints, thanks) which doesn't have the disallow-AFS-by-default > "feature". The reason that Heimdal is preferred over MIT KFW is that on Win7, MIT KFW can result in very random behavior and can crash applications it is loaded into (including the winlogin.exe service which if it crashes will cause the machine to BSOD. Choose your poison. > With the next student, we edited the file, saved it under > a different name, and then used an administrator shell to > rename the files. Then with NIM restarted everything worked. > > Questions: > > (1) Is it really true that OpenAFS tells people to download software > that doesn't work without manually fiddling with configuration > files? Or did I do something wrong with the install? Perhaps. > (2) Instead, could we have the Heimdal installer default > "allow_weak_crypto = true" ? Even if the Heimdal project would permit it, this is not the place to ask for it. Although I can tell you the answer will be 'no'. > (3) If we're stuck with (1) and can't do (2), would anyone like me to > write up the installation sequence required on the Wiki? And maybe > the download page could point to it so poor lusers could find it? > And maybe for MacOSX too, with also requires > a manual fiddling with /etc/krb5.conf after installation. You mean update http://wiki.openafs.org/AFSLore/WindowsEndUserQuickStartGuide/ and http://wiki.openafs.org/AFSLore/WindowsConfigurationReferenceGuide/ and http://wiki.openafs.org/AFSLore/WindowsTroubleshootingGuide/ to match current releases? That would be much appreciated. > (4) Is there a plan to finally wean AFS servers off des-cbc-crc ? http://workshop.openafs.org/afsbpw10/talks/fri_1/rxgk-afsbpw.pdf http://tools.ietf.org/html/wilkinson-afs3-rxgk-02 http://tools.ietf.org/html/wilkinson-afs3-rxgk-afs-01 Where we are at is that Your File System Inc has a fully operational implementation but until such time as consensus is reached that the drafts above require no additional protocol changes OpenAFS cannot accept the code. Anyone that wants to help should read the Internet Drafts and provide comments on the afs3-standardizat...@openafs.org mailing list. Jeffrey Altman
signature.asc
Description: OpenPGP digital signature