John Tang Boyland wrote:
> Thanks all for the help and pointers.
> Unfortunately, none of the pieces of advice helped my student.
> He reinstalled OpenAFS 1.5.21 and KfW 3.2.0 and got the same
> behavior: if he tries to get AFS tokens: NIM waits about a minute
> and says "failed to retrieve credentials" even though it has
> no problem getting Kerberos 5 and Kerberos 4 credentials
> if the AFS tab is turned off.  (This is second-hand from the student.)
> 
> The problem may be because we don't use kaserver: and instead run 
> the KDC on the only AFS database machine (and k524 and fakeka).

Not using kaserver is good.  KFW is Kerberos v5.  If you are using
KFW, then you want to talk to the Kerberos v5 KDC.

Can the student obtain tokens with aklog?

  aklog -d <cellname>

will provide debugging info.   You will also obtain debugging info
if you turn on the NIM debugging log from the Options->General page.

> In previous versions of Windows, the default token getter failed
> because it tried to use Kerberos 4 protocol rather than kaserver
> protocol to get the TGT (the k524 translator starts before fakeka
> and so grabs some of the ports fakeka would use).

OpenAFS' afscreds tool uses Kerberos v4 unless KFW is installed in
which case it too uses Kerberos v5.

> But in older versions of Windows, it was enough to install kerberos 5.
> It seems Windows VISTA OpenAFS does something different.

With NIM, the default is to use Kerberos v5 to obtain the token and only
fallback to Kerberos v4 if Kerberos v5 fails.

krb524 is only used if the user explicitly specifies that it should
be used.

> Sorry I can't be any clearer, but my student has given up, and
> will ftp into a host that has AFS and copy files into AFS there.

I'm sorry your student has had problems, but the problem really isn't
just OpenAFS and KFW running on Vista.  There is something else about
the environment that is lacking and we have not been provided enough
information to help you narrow it down.

Jeffrey Altman
Secure Endpoints Inc.

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

Reply via email to