KfW krb5.conf inclusions

Jeffrey Altman jaltman at secure-endpoints.com
Fri May 4 14:42:17 EDT 2007

David Bear wrote:
>> Does your NIM identity for the Windows principal have a configuration
>> stating it should obtain AFS tokens?   I bet that is what is failing.
> I don't know what a NIM identity is or how to check for it. Any
> pointers?
What version of KFW are you using?  Network Identity Manager ships in
version 3.0 and above.

I have links to the documentation for NIM accessible from
> I do know there is a cross realm trust from our AD domain to our MIT
> realm. (please note when I speak of MIT realm, its NOT MIT -- its
> just a true MIT based kerb realm)
This is only relevant if you want to be able to use the Windows logon name


to obtain the AFS tokens for the cell asu.edu.   Note that
user at WINDOWS.ASU.EDU is not the same as user at ASU.EDU.   There are things
that you can do to enable the asu.edu to treat both names as the same
but let's not go there right now.  Its not relevant to your question.
>> KFW will use DNS SRV lookups to obtain the data for the Windows Active
>> Directory realm if you don't include them in the krb5.ini file.
> I have verified that we use dsn records for our afs servers
DNS AFSDB records are not the same as DNS SRV records for Kerberos.   
DNS SRV records will be of the form

    _kerberos._udp.windows.asu.edu SRV
   _kerberos._tcp.windows.asu.edu SRV

where "windows.asu.edu" is the lowercase version of whatever your realm
Windows domain name is.  Active Directory always publishes these
records.  I don't know if you are using Active Directory for your DNS or
not though.  I know that you do not have have SRV records for your
ASU.EDU realm.

Jeffrey Altman
Secure Endpoints Inc.

Jeffrey Altman
Secure Endpoints Inc.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3355 bytes
Desc: S/MIME Cryptographic Signature
Url : http://mailman.mit.edu/pipermail/kerberos/attachments/20070504/9b4fac64/attachment.bin

More information about the Kerberos mailing list