Hopefully this is the right place for questions on useing Network Identity
Manager use with AFS. I'm trying to set up a Windows 7 client to access
multiple AFS cells while the cells transition from kaserver to a krb5 kdc.
The default cell will be the last to migrate to krb5. We have IBM AFS
servers that don't support v5 tickets and will for a while, so I need to
use krb524d.
For the default cell I'm able to get tokens only by using klog on the
command line and they work so I'm able to access that AFS cell. I've added
identities for two test krb5 realms/AFS cells into netidmgr and
added/updated the AFS tab in the identity configuration for each to specify
the correct cell for each realm and set the method to "Kerberos v5 to v4".
When I try to obtain new credentials for either of these realms/cells, I
get the following error:
Getting AFS tokens...
Credentials could not be obtained for cell <cell>.ibm.com
Looking at a wireshark trace I see a successful AS-REQ getting my krb5 tgt,
and a successful TGS-REQ to get the afs service ticket. I don't see any
attempt to talk to krb524d to convert that ticket to v4.
The nidmdbg.log shows:
11:04:00.312 [98] Begin: Getting AFS tokens... (child of [96])^M
11:04:00.312 2948[98] Info:(AfsCred) AFS New Creds :: ident
0000000001BF3E30^M
11:04:00.312 2948[98] Info:(AfsCred) Getting tokens for cell <cell>.ibm.com
with realm <REALM>.IBM.COM using method 2^M
11:04:00.312 2948[98] Debug(1): Trying Kerberos 5^M
11:04:00.375 2948[98] Debug(1): Trying Krb524^M
11:04:00.375 2948[98] Debug(1): Kerberos 4 not configured^M
11:04:00.375 2948[98] ERROR:(AfsCred) Credentials could not be obtained for
cell <cell>.ibm.com.^M
I see in the netidmgr docs the following statement about kerberos 4:
Obtaining Kerberos v4 tickets is optional and may not be available on
all systems. When available, Kerberos v4 tickets may only be obtained for
the default identity.
Does this statement just apply to the AFS plugin and krb524d as well as
trying to get a v4 tgt or service ticket? If so is there any way around
this? I will have multiple identities that I need to obtain AFS tokens for
so setting one to default to get the kerberos 4 tab/config won't solve the
issue.
John Janosik
[email protected]
