Charles McIntyre wrote: > Thanks for the response, Jeffrey. > > I'm mostly concerned with the change between 1.3.73 and 1.3.74 since > anything after 1.3.73 breaks in our environment. > > Our servers are TransArc v3.6 and the admins are too overwhelmed with > other priorities to update it, which is very unfortunate. I don't > believe it supports K5.
It does not support Kerberos 5. This means that you can't use the Kerberos 5 based tokens that OpenAFS 1.3.xx obtains by default. You must obtain Kerberos 4 based tokens. > I've poured through afs-install-notes and have found some gems, but also > found some confusing points: > "If KFW is installed, the Integrated Logon will use Kerberos 5 to obtain > tokens. Otherwise, Kerberos 4 is used." This is true. When KFW is installed, tokens will be obtained using Kerberos 5 and perhaps converted to Kerberos 4 format with the krb524d. Kerberos 4 will never be used. > This is confusing, since our installation uses Integrated Logon and KFW, > but I believe we can only get tokens with K4 tickets because of the > TransArc server. I did a couple days of testing NOT using Integrated > logon because this verbage led me to believe it would be requesting a > token with a K5 ticket from our servers. When I finally did install > using the Int. Logon option, I was very surprised when 1.3.73 worked. Are you using the registry entry to use the 524 daemon? > In terms of what is not working: > Any version past 1.3.73 (even on a clean bare XP SP2 box), will hang > Explorer when I attempt to map an afs path using the afscreds GUI or cmd > line "net use x: //afs/cats.ucsc.edu/users/t/mcintyre". We have a > cross-realm authentication scheme, so KFW gets the tickets > automatically. I disable AFS tokens within KFW, because I found that it > confuses the AFS client (this might have been fixed, dunno). THe > workstations are used in general access labs, so we run a script that > runs afscreds -a -q, finds their AFS path via LDAP, creates a submount > (I know you're against this now), and maps the X: drive to //afs/home. > For testing, I've disabled the logon script and ran it all by hand. > Everything works like a charm until I actually try to mount an AFS path. > > 1.3.73 seems to be working well now, but we're very concerned about it > and we've put it on "probation". During the summer, we've had about 10% > of the lab machines hang at login when the AFS script runs. Since this > failure rate is unacceptable, and we're very concerned that some new > hotfix will break the version of the AFS client that we're stuck at, > we're starting to research other methods of accessing the user's home > directory, like Explorer integrated SFTP clients (MKS, Hummingbird, Web > Drive, etc). It's currently contentious, since I'm advocating for the > SSO aspects of AFS, but others in our group are concerned about > stability and reliability... I wish I could wave my magic wand and have > our AFS servers updated, but that's not going to happen any time soon. Can you provide remote access to a machine that is experiencing the problem? Can you provide such a machine with a debug version of 1.3.87 and the Microsoft Debugging Tools for Windows? Jeffrey Altman > Charles > > > > > At 02:37 PM 8/10/2005, Jeffrey Altman wrote: > >> Charles McIntyre wrote: >> > We've been able to get OpenAFS 1.3.73 with KfW 2.6.5 to work with our >> > cross-realm Kerberos login, but any version after that breaks Windows. >> > >> > What changed from 1.3.73 to 1.3.74 and subsequent versions? I >> looked at >> > the changes doc, but nothing rang out... >> > >> > We've even tried installing 1.3.74+ on a base XP Pro SP2 system and it >> > still hangs explorer. I'm wondering if it has something to do with our >> > server software. >> > >> > Any ideas? >> > >> > Thanks! >> > Charles >> >> Lots of things have changed since 1.3.73. >> >> What is the version of the servers in your cell? Does it support >> Kerberos 5? (aka OpenAFS 1.2.8 or higher?) >> >> Have you followed the debugging instructions in the >> afs-install-notes.txt file? >> >> What is not working? Integrated Login? Obtaining tokens with the >> AFS System Tray tool? >> >> Jeffrey Altman >> > > > > º°`°º¤ø¤º°`°º¤øø¤º°`°º¤ø¤º°`°º¤øø¤º°`°º¤ > > Charles McIntyre > PC/UNIX Systems Engineer > Instructional Computing > Information Technology Services, UCSC > ph: 831/459-5746 > fx: 831/459-2914 > > got a question? see http://ic.ucsc.edu/help
smime.p7s
Description: S/MIME Cryptographic Signature
