Hi Jeff,
Thanks for replying.
I think what Justin is trying to do is log into a PC in an AD domain (using
a local or domain account), obtain krb5 tickets in an MIT realm, get
tokens in an AFS cell (afs/[email protected]), and optionally get tokens in
a second AFS cell ([email protected]).
The principal names match. The passwords match. He has this working on a
test machine in a test AD domain, but replicating it on a machine in a
different AD domain is failing.
I'm under the impression, perhaps mistaken(?), that a tgt in NIM is
necessary for NIM to renew tickets and AFS tokens past the default
lifetime.
On Tue, 4 May 2010, Jeffrey Altman wrote:
On 5/4/2010 4:24 PM, Justin Brinegar wrote:
What would cause me to not get the MITKERB.UNC.EDU ticket on screw? The
krb5.ini files for the machines are the same, each can resolve the
proper KDCs. I have installed KFW 32/64 and NIMv2 32/64 - the 64bit
netidmgr.exe launches upon logon with screw. Once I get the ticket on
logon, I'll use it to get tokens for two AFS cells automatically (works
fine on wedge).
AFS token acquisition at logon is performed using the afslogon.dll
network provider and is independent of the kfwlogon.dll. It gets its
own Kerberos TGT and uses its per domain configuration for deciding what
realm to obtain a TGT from and which cells to obtain tokens for.
KFW - 3.2.2
NIM - 2.0.0.304
screw/AFS - 1.5.7400
wedge/AFS - 1.5.7200
I'm in communication with the Domain Admin for adproduction.unc.edu, but
I wanted to check with the community.
Any cookbook recipes or ideas are welcome.
Justin
I think you need to start off by explaining what you are trying to
accomplish . Do you want a TGT acquiring during the logon process or do
you want NIM to import a TGT from the Microsoft LSA cache and then do
something with it?
Jeffrey Altman
_______________________________________________
OpenAFS-info mailing list
[email protected]
https://lists.openafs.org/mailman/listinfo/openafs-info
