KfW 2.6 and NT Domains

Jeffrey Altman jaltman2 at nyc.rr.com
Fri Jul 14 18:11:28 EDT 2006


Sensei wrote:
> Hi!
> 
> I'm back on 2.6 for production machines, but now I'm working on some
> testing XP clients. These clients are joined to a NT domain (a Samba 3
> NT domain) with roaming profile. Samba username and password match the
> corresponding MIT principal.

NT4 domains do not use Kerberos and KFW 2.6.5 does not provide a
Network Provider DLL for use in obtaining Kerberos tickets at logon.
This feature was first introduced in KFW 3.0.

> I expected to have an integrated logon gaining the kerberos ticket as if
> it were a local user, but unfortunately, leash comes up asking for
> principal and password.
> 
> Moreover, there's a weird behavior. The AFS integrated logon works like
> a charm gaining the token for a user without any password, both a local
> one and a NT domain user with a roaming profile. Still leash doesn't
> show any ticket, but only the AFS token. Note that I'm not running
> kaserver, but a pure MIT KDC.
>
> Am I missing something really obvious?

The OpenAFS for Windows Integrated Logon stores the Kerberos ticket
in a cache named for the user principal.  If the principal is

   joe at MY.COMPANY

then the cache is

   API:joe at MY.COMPANY

If you configure Leash to use that as the default ccache for the user
I am sure you will see the tickets.

Jeffrey Altman



More information about the Kerberos mailing list