RE: [OpenAFS] Help with Windows, OpenAFS 1.7 and Heimdal

[Steven H. Tender]

Thanks for the help, I am now able to get all the tickets/tokens needed to 
access AFS when running NIM.  I am not able to get AFS tickets during logon to 
the workstation.  From what I have read, this is a known limitation.  Is this 
true?  Are there workarounds?

Again, Win 7 machines in AD with a one way trust to Kerb.

-steve

-----Original Message-----
From: openafs-info-ad...@openafs.org [mailto:openafs-info-ad...@openafs.org] On 
Behalf Of Jeffrey Altman
Sent: Thursday, December 15, 2011 1:43 PM
To: openafs-info@openafs.org
Subject: Re: [OpenAFS] Help with Windows, OpenAFS 1.7 and Heimdal

On 12/15/2011 12:52 PM, Eric Sturdivant wrote:
> On Thu, 15 Dec 2011, Jeffrey Altman wrote:
> 
>> 32-bit NIM requires the krbv4w32.dll and krb524.dll from MIT KFW.
>> A future Heimdal distribution will bundle them as an optional install 
>> item and a future NIM distribution will stop supporting Kerberos v4 
>> entirely.
>>
>> For now you can copy the DLLs from the MIT distribution and place 
>> them in your PATH.
>>
> 
> This gets us a bit further, but now NIM fails getting AFS tokens. The 
> error message is "Credentials could not be obtained for cell glue.umd.edu".
> 
> aklog -d shows:
> 
> C:\Users\Administrator>aklog -d
> Authenticating to cell glue.umd.edu.
> Getting v5 tickets: afs/glue.umd....@umd.edu Kerberos error code 
> returned by get_cred: -1765328234
> aklog: Couldn't get glue.umd.edu AFS tickets: encryption type 
> des-cbc-crc is disabled

Kerberos distributions built after 2009 no longer permit DES as an encryption 
type by default.  This is true for Microsoft, Apple, MIT, Heimdal, etc.

To enable DES on the client, add

[libdefaults]
allow_weak_crypto = true

Future builds of OpenAFS with native Heimdal support will not require this.

Jeffrey Altman

:��T���&j)b�   b�өzpJ)ߢ�^��좸!��l��b��(���~�+����Y���b�ا~�����~ȧ~