[8672] in Info-AFS_Redistribution
Re: Windows with Krb5
daemon@ATHENA.MIT.EDU (Kevin Coffman)
Thu May 10 16:53:23 2001
To: Elmar Abeln <elmar.abeln@urz.uni-heidelberg.de>
Cc: info-afs@transarc.com, Kevin Coffman <kwc@citi.umich.edu>
In-reply-to: Your message of "Tue, 24 Apr 2001 13:39:34 +0200."
<200104241139.NAA193980@aixmita1.urz.uni-heidelberg.de>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Date: Thu, 10 May 2001 16:46:53 -0400
From: Kevin Coffman <kwc@citi.umich.edu>
Message-Id: <20010510204653.D109A207C1@citi.umich.edu>
We just installed Patch 2 (AFS 3.6 2.14) on a couple of Windows 2000
boxes and they both exhibit the same behavior. The kerberos request
packet they are sending is malformed, causing the following message in
the (MIT K5 1.2.1) KDC log:
krb5kdc: Invalid message type - while dispatching
The client -- after timing out to all the KDCs, since it never gets a
reply -- displays:
The AFS client was unable to obtain tokens as kwc in cell umich.edu
Error: 56 (Authentication Server was unavailable)
Anyone else seen this?
K.C.
> Has anyone successfully used the Windows AFS client in an AFS cell with Ken
> Hornstein's NRL AFS-Kerberos5 migration kit (which allow you to run a
> normal Krb5 server, storing afs3, krb5, and krb4 keys)? We've successfully
> used it with unix clients (using aklog to obtain AFS tokens from krb5
> tickets) and have preserved the ability for users from foreign cells to
> authenticate to our servers by running "fakeka", which decodes just enough
> of the RX packet to forward the authentication request to the krb5 server.
> So far so good... but the Windows AFS client has looked more attractive to
> us lately and we cannot get it to work with our modified setup...
>
> I can browse AFS filespace unauthenticated just fine. I can
> successfully obtain tokens for an unmodified AFS.
>
> But authenticating to the KDC Server i got at first the error
> The AFS Client was unable to obtain tokens as x30 in cell urz.uni-heidelberg.de
> Error: 37 (unknown authentication error 37).
>
> This was an result of bad skewed times on Win and Kdc-Server (sol 7)
> But after correctin this problem i got an expired token (!) with
> expiration time 11:41:00 12/12/17 (!!!).
> Has anyone an idea ?
>
> Thank for help.
>
> Elmar
>
> ------------------------------------------------------------------------
> Dr. Elmar Abeln email: Elmar.Abeln@URZ.Uni-Heidelberg.DE
> Universitaetsrechenzentrum
> Im Neuenheimer Feld 293 phone: +49 (6221) 54 4513
> D 69120 Heidelberg fax: +49 (6221) 54 5581
> ---------------------------------------------------------------------------
