Thanks for the response, Jeffrey.
I'm mostly concerned with the change between
1.3.73 and 1.3.74 since anything after 1.3.73 breaks in our environment.
Our servers are TransArc v3.6 and the admins are
too overwhelmed with other priorities to update
it, which is very unfortunate. I don't believe it supports K5.
I've poured through afs-install-notes and have
found some gems, but also found some confusing points:
"If KFW is installed, the Integrated Logon will
use Kerberos 5 to obtain tokens. Otherwise, Kerberos 4 is used."
This is confusing, since our installation uses
Integrated Logon and KFW, but I believe we can
only get tokens with K4 tickets because of the
TransArc server. I did a couple days of testing
NOT using Integrated logon because this verbage
led me to believe it would be requesting a token
with a K5 ticket from our servers. When I
finally did install using the Int. Logon option,
I was very surprised when 1.3.73 worked.
In terms of what is not working:
Any version past 1.3.73 (even on a clean bare XP
SP2 box), will hang Explorer when I attempt to
map an afs path using the afscreds GUI or cmd
line "net use x:
//afs/cats.ucsc.edu/users/t/mcintyre". We have a
cross-realm authentication scheme, so KFW gets
the tickets automatically. I disable AFS tokens
within KFW, because I found that it confuses the
AFS client (this might have been fixed,
dunno). THe workstations are used in general
access labs, so we run a script that runs
afscreds -a -q, finds their AFS path via LDAP,
creates a submount (I know you're against this
now), and maps the X: drive to //afs/home. For
testing, I've disabled the logon script and ran
it all by hand. Everything works like a charm
until I actually try to mount an AFS path.
1.3.73 seems to be working well now, but we're
very concerned about it and we've put it on
"probation". During the summer, we've had about
10% of the lab machines hang at login when the
AFS script runs. Since this failure rate is
unacceptable, and we're very concerned that some
new hotfix will break the version of the AFS
client that we're stuck at, we're starting to
research other methods of accessing the user's
home directory, like Explorer integrated SFTP
clients (MKS, Hummingbird, Web Drive, etc). It's
currently contentious, since I'm advocating for
the SSO aspects of AFS, but others in our group
are concerned about stability and
reliability... I wish I could wave my magic wand
and have our AFS servers updated, but that's not
going to happen any time soon.
Charles
At 02:37 PM 8/10/2005, Jeffrey Altman wrote:
Charles McIntyre wrote:
> We've been able to get OpenAFS 1.3.73 with KfW 2.6.5 to work with our
> cross-realm Kerberos login, but any version after that breaks Windows.
>
> What changed from 1.3.73 to 1.3.74 and subsequent versions? I looked at
> the changes doc, but nothing rang out...
>
> We've even tried installing 1.3.74+ on a base XP Pro SP2 system and it
> still hangs explorer. I'm wondering if it has something to do with our
> server software.
>
> Any ideas?
>
> Thanks!
> Charles
Lots of things have changed since 1.3.73.
What is the version of the servers in your cell? Does it support
Kerberos 5? (aka OpenAFS 1.2.8 or higher?)
Have you followed the debugging instructions in the
afs-install-notes.txt file?
What is not working? Integrated Login? Obtaining tokens with the
AFS System Tray tool?
Jeffrey Altman
º°`°º¤ø¤º°`°º¤øø¤º°`°º¤ø¤º°`°º¤øø¤º°`°º¤
Charles McIntyre
PC/UNIX Systems Engineer
Instructional Computing
Information Technology Services, UCSC
ph: 831/459-5746
fx: 831/459-2914
got a question? see http://ic.ucsc.edu/help
_______________________________________________
OpenAFS-info mailing list
[email protected]
https://lists.openafs.org/mailman/listinfo/openafs-info
