This is strange, since I'm not using the 524
registry entry. I'm not sure how this is functioning at all now...
Charles
At 06:06 AM 8/12/2005, Jeffrey Altman wrote:
Charles McIntyre wrote:
> Thanks for the response, Jeffrey.
>
> I'm mostly concerned with the change between 1.3.73 and 1.3.74 since
> anything after 1.3.73 breaks in our environment.
>
> Our servers are TransArc v3.6 and the admins are too overwhelmed with
> other priorities to update it, which is very unfortunate. I don't
> believe it supports K5.
It does not support Kerberos 5. This means that you can't use the
Kerberos 5 based tokens that OpenAFS 1.3.xx obtains by default. You
must obtain Kerberos 4 based tokens.
> I've poured through afs-install-notes and have found some gems, but also
> found some confusing points:
> "If KFW is installed, the Integrated Logon will use Kerberos 5 to obtain
> tokens. Otherwise, Kerberos 4 is used."
This is true. When KFW is installed, tokens will be obtained using
Kerberos 5 and perhaps converted to Kerberos 4 format with the krb524d.
Kerberos 4 will never be used.
> This is confusing, since our installation uses Integrated Logon and KFW,
> but I believe we can only get tokens with K4 tickets because of the
> TransArc server. I did a couple days of testing NOT using Integrated
> logon because this verbage led me to believe it would be requesting a
> token with a K5 ticket from our servers. When I finally did install
> using the Int. Logon option, I was very surprised when 1.3.73 worked.
Are you using the registry entry to use the 524 daemon?
> In terms of what is not working:
> Any version past 1.3.73 (even on a clean bare XP SP2 box), will hang
> Explorer when I attempt to map an afs path using the afscreds GUI or cmd
> line "net use x: //afs/cats.ucsc.edu/users/t/mcintyre". We have a
> cross-realm authentication scheme, so KFW gets the tickets
> automatically. I disable AFS tokens within KFW, because I found that it
> confuses the AFS client (this might have been fixed, dunno). THe
> workstations are used in general access labs, so we run a script that
> runs afscreds -a -q, finds their AFS path via LDAP, creates a submount
> (I know you're against this now), and maps the X: drive to //afs/home.
> For testing, I've disabled the logon script and ran it all by hand.
> Everything works like a charm until I actually try to mount an AFS path.
>
> 1.3.73 seems to be working well now, but we're very concerned about it
> and we've put it on "probation". During the summer, we've had about 10%
> of the lab machines hang at login when the AFS script runs. Since this
> failure rate is unacceptable, and we're very concerned that some new
> hotfix will break the version of the AFS client that we're stuck at,
> we're starting to research other methods of accessing the user's home
> directory, like Explorer integrated SFTP clients (MKS, Hummingbird, Web
> Drive, etc). It's currently contentious, since I'm advocating for the
> SSO aspects of AFS, but others in our group are concerned about
> stability and reliability... I wish I could wave my magic wand and have
> our AFS servers updated, but that's not going to happen any time soon.
Can you provide remote access to a machine that is experiencing the problem?
Can you provide such a machine with a debug version of 1.3.87 and the
Microsoft Debugging Tools for Windows?
Jeffrey Altman
> Charles
>
>
>
>
> At 02:37 PM 8/10/2005, Jeffrey Altman wrote:
>
>> Charles McIntyre wrote:
>> > We've been able to get OpenAFS 1.3.73 with KfW 2.6.5 to work with our
>> > cross-realm Kerberos login, but any version after that breaks Windows.
>> >
>> > What changed from 1.3.73 to 1.3.74 and subsequent versions? I
>> looked at
>> > the changes doc, but nothing rang out...
>> >
>> > We've even tried installing 1.3.74+ on a base XP Pro SP2 system and it
>> > still hangs explorer. I'm wondering if it has something to do with our
>> > server software.
>> >
>> > Any ideas?
>> >
>> > Thanks!
>> > Charles
>>
>> Lots of things have changed since 1.3.73.
>>
>> What is the version of the servers in your cell? Does it support
>> Kerberos 5? (aka OpenAFS 1.2.8 or higher?)
>>
>> Have you followed the debugging instructions in the
>> afs-install-notes.txt file?
>>
>> What is not working? Integrated Login? Obtaining tokens with the
>> AFS System Tray tool?
>>
>> Jeffrey Altman
>>
>
>
>
> º°`°º¤ø¤º°`°º¤øø¤º°`°º¤ø¤º°`°º¤øø¤º°`°º¤
>
> Charles McIntyre
> PC/UNIX Systems Engineer
> Instructional Computing
> Information Technology Services, UCSC
> ph: 831/459-5746
> fx: 831/459-2914
>
> got a question? see http://ic.ucsc.edu/help
º°`°º¤ø¤º°`°º¤øø¤º°`°º¤ø¤º°`°º¤øø¤º°`°º¤
Charles McIntyre
PC/UNIX Systems Engineer
Instructional Computing
Information Technology Services, UCSC
ph: 831/459-5746
fx: 831/459-2914
got a question? see http://ic.ucsc.edu/help
_______________________________________________
OpenAFS-info mailing list
[email protected]
https://lists.openafs.org/mailman/listinfo/openafs-info
