Re: [OpenAFS] Integrated Windows Logon

Mon, 09 May 2011 11:03:07 -0700 

On 05/09/2011 05:52 PM, Hugo Monteiro wrote:

On 05/09/2011 05:18 PM, Hugo Monteiro wrote:

On 05/09/2011 03:25 PM, Jeffrey Altman wrote:

Now I understand why aklog works for you but afscreds and afslogon do
not.  aklog always tries the service principal afs/<cell>@<USER-REALM>
first regardless of what the VLDB host to domain mapping resolves to.
I would still like to see the output from nslookup for the AFSDB records. 

Jeffrey Altman




Hi Jeffrey,
I am assuming that the AFSDB records are to be specified under the dns zone that the client uses as its primary dns suffix. That said, and since the client dns suffix is oper.ci.fct.unl.pt, 


~$ dig -t AFSDB oper.ci.fct.unl.pt

; <<>> DiG 9.7.0-P1 <<>> -t AFSDB oper.ci.fct.unl.pt
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 501
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;oper.ci.fct.unl.pt.        IN    AFSDB

;; ANSWER SECTION:
oper.ci.fct.unl.pt. 86400 IN AFSDB 1 staff-afs1.ci.fct.unl.pt. oper.ci.fct.unl.pt. 86400 IN AFSDB 2 staff-afs2.ci.fct.unl.pt. 

;; Query time: 3 msec
;; SERVER: 10.130.16.34#53(10.130.16.34)
;; WHEN: Mon May  9 17:10:27 2011
;; MSG SIZE  rcvd: 116
Either way, i have also tried by specifying the servers under the CellServDB file, and the result was the same.
I also have the same type of records available for the zones fct.unl.pt and staff.fct.unl.pt. This was my first approach, which upon rereading the docs seems the appropriate one. 
I have disabled the dns views so you can check for the records yourself.

Regards,

Hugo Monteiro.
I just deployed a fresh 32 bit win7 install. Added the TheseCells configurations and appropriate krb5.ini file. At logon it still doesn't get tokens for the second cell, but as soon as i issue aklog -d staff.fct.unl.pt in the command line it's able to get the tokens.
I'm in the process of deploying a fresh 64bit win7 install to replicate the same configuration.
I can tell you though that i can still see in my kdc that it's asking fot ktgt/[email protected] when at logon time. 

Regards,

Hugo Monteiro.

--
fct.unl.pt:~# cat .signature

Hugo Monteiro
Email    : [email protected]
Telefone : +351 212948300 Ext.15307
Web      : http://hmonteiro.net

Divisão de Informática
Faculdade de Ciências e Tecnologia da
                   Universidade Nova de Lisboa
Quinta da Torre   2829-516 Caparica   Portugal
Telefone: +351 212948596   Fax: +351 212948548
www.fct.unl.pt                [email protected]

fct.unl.pt:~# _

_______________________________________________
OpenAFS-info mailing list
[email protected]
https://lists.openafs.org/mailman/listinfo/openafs-info

Reply via email to