-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 So, my cell's conversion to the ADS realm continues to have snags.
We solved one... we have sftp access to the AFS area using PAM and the pam_krb5 module. As it turns out, we had to add both "no_krb4_use_as_req" and "no_krb4_convert_524" arguments to this, for both session and auth, in order to make it work. We also got mod_waklog to work pretty much as it did on the MIT Kerberos system. However, when trying to get Samba to work on top of AFS, we're having problems getting a valid AFS token. We're running OpenAFS 1.4.11 and Samba version 3.0.33 on RHEL4. In the past, recompiling Samba with - --with-fake-kaserver has worked great, but with the change of having ADS, the fake-kaserver is not working. With logging set to 10 (too bad there's not an "11", hmm?), Samba shows the following as evidence of not getting a token: - ---------------- [2009/07/22 16:55:13, 5] smbd/uid.c:change_to_user(273) change_to_user uid=(37302,37302) gid=(0,37302) [2009/07/22 16:55:13, 10] lib/afs.c:afs_login(251) Trying to log into AFS for user [email protected] [2009/07/22 16:55:13, 10] lib/afs.c:afs_encode_token(65) Got ticket string: afstest.iu.edu 8 mjeIXRYCQ0Y= 37302 1248296113 1248900913 BA7gMPPHnYu3/m1Ky+vhUVbN3kdlHmxo9RsBt4Hby0dBnH5d72vX2o3RiWn1549x [2009/07/22 16:55:13, 10] lib/afs_settoken.c:afs_settoken(207) afs VIOCSETTOK returned -1 - ---------------- I can log in with smbclient, but without tokens, I get this: ecgar...@moria:~$ smbclient //rufus2.uits.iupui.edu/ecgarris -U ADS\\ecgarris Password: Domain=[ADS] OS=[Unix] Server=[Samba 3.0.33-0.17] smb: \> ls NT_STATUS_NETWORK_ACCESS_DENIED listing \* 0 blocks of size 0. 61680 blocks available In smb.conf, I've made sure that the realm and cell are specified: - ----------- security = ADS password server = ads.iu.edu client ntlmv2 auth = yes client lanman auth = no realm = ADS.IU.EDU afs username map = %[email protected] afs token lifetime = 604800 - ---------- My suspicion is that the fake-kaserver is suffering from the same problem we had initially with PAM... it's somehow trying to convert a krb5 ticket to a krb4 one (or really does need to) and while the MIT Kerberos server does have a 524 facility, the ADS kerberos server does not. Any ideas? Thanks yet again! Chris - -- Eric Chris Garrison | Principal Mass Storage Specialist [email protected] | Indiana University - Research Storage W: 317-278-1207 M: 317-250-8649 | Jabber IM: [email protected] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iD8DBQFKadQRG2WsK8XoJWURAg6bAJ9QapJMHOeNr4KswjTenxLQzYK3pACfRTJO TQYLh8dcL6H5ftPd8BcZBU8= =8B3C -----END PGP SIGNATURE----- _______________________________________________ OpenAFS-info mailing list [email protected] https://lists.openafs.org/mailman/listinfo/openafs-info
