[OpenAFS] Re: Windows TGS_REQ on alternate Netbios Names

Jeffrey Altman jaltman at columbia.edu
Sat Nov 29 13:27:22 EST 2003


Jason C. Wells wrote:

>
>That's what I had concluded after all.  I had hoped someone would be able
>to point me to a cool registry hack that fixed windows icky behavior.
>  
>
Its not icky behavior.  When the SMB client attempts to communicate with
the SMB service (even on the same machine) it is necessary for the published
name to be used.  There is no requirement that FOOBAR-AFS exist on the
machine FOOBAR. 

In an Active Directory environment, there would be published aliases so that
the AD can respond to a request for host/foobar-afs with a service ticket
encrypted with a key derived from the password for host/foobar.

This type of functionality is not available when using a non-Windows KDC
because the same level of integration for DNS updates, LDAP directory 
updates,
etc. can not be supported.

>I tried monkeying around with the "Running AFS on Loopback" that I read
>about in the AFS Wiki.  I later read your comments on disabling loopback
>hack. Knowing that a future release will not support the loopback hack, I
>decided against continuing it's use.
>  
>
There is nothing wrong with using the Loopback Adapter on Windows XP or 2003
systems.  It solves the problems for mobile users quite well given the
limitations of the current OpenAFS service implementation.  Unfortunately,
the loopback adapters on NT4 and 2000 do not properly loopback broadcast
packets.  Therefore, the NETBIOS name for the OpenAFS SMB service is never
registered.  The OpenAFS client service will run but the SMB clients cannot
find it.

The current OpenAFS head disables the use of the loopback hack when running
on systems prior to XP.

>The nice thing about it was that W13-AFS didn't appear in the NBTSTAT -n
>output for the "real" network interface.  For a while, the windows
>kerberos madness stopped.  (I went through a bazillion iterations today,
>so I may not be remembering correctly.)
>  
>
When the loopback adapter is installed, OpenAFS will only publish on the 
loopback
interface.  Therefore, other hosts will not see the name.

>But I do have a functioning single sign on network now.  Only MIT Kerberos
>5 does my authentication now and everything I run uses it. w00t!
>  
>
If you are only obtaining tokens for one cell whose name is the same as 
your
Kerberos 5 realm, you might want to consider using KfW 2.5's Leash as your
ticket/token management tool instead of afscreds.  Simply place

  leash32.exe -autoinit

into a Startup shortcut.  (You can even minimize it).  Microsoft 
Kerberos LSA
credentials will be auto-imported and afs tickets will be requested 
using Kerberos
5 and krb524d.  The tickets will be auto-renewed as approach expiration 
as well.

Jeffrey Altman


-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3427 bytes
Desc: S/MIME Cryptographic Signature
Url : http://mailman.mit.edu/pipermail/kerberos/attachments/20031129/08c3a3f1/attachment.bin


More information about the Kerberos mailing list