Windows with Krb5

Steve Ostrove ostrove@umbc.edu
Thu, 10 May 2001 17:13:02 -0400 

This is a multi-part message in MIME format.
--------------E533805E765A875EF482F5E7
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit

Kevin,

Yes!  I've seen the exact same behavior.  Well, I haven't traced it to be a
malformed packet, I've just seen the error message.

I replaced the afscreds.exe, afsauthen.dll, tokens.exe, and klog.exe with their
previous counterparts from the 3.6-2.5 release and everything now seems to work
fine.

Of course, the docs say not to mix components, but... at least now it's
working... and working better than the straight 3.6-2.5 release from what I can
see.

Hope this helps.

Kevin Coffman wrote:
> 
> We just installed Patch 2 (AFS 3.6 2.14) on a couple of Windows 2000
> boxes and they both exhibit the same behavior.  The kerberos request
> packet they are sending is malformed, causing the following message in
> the (MIT K5 1.2.1) KDC log:
> 
>     krb5kdc: Invalid message type - while dispatching
> 
> The client -- after timing out to all the KDCs, since it never gets a
> reply -- displays:
> 
>     The AFS client was unable to obtain tokens as kwc in cell umich.edu
>     Error: 56 (Authentication Server was unavailable)
> 
> Anyone else seen this?
> 
> K.C.
> 
> > Has anyone successfully used the Windows AFS client in an AFS cell with Ken
> > Hornstein's NRL AFS-Kerberos5 migration kit (which allow you to run a
> > normal Krb5 server, storing afs3, krb5, and krb4 keys)?  We've successfully
> > used it with unix clients (using aklog to obtain AFS tokens from krb5
> > tickets) and have preserved the ability for users from foreign cells to
> > authenticate to our servers by running "fakeka", which decodes just enough
> > of the RX packet to forward the authentication request to the krb5 server.
> > So far so good... but the Windows AFS client has looked more attractive to
> > us lately and we cannot get it to work with our modified setup...
> >
> > I can browse AFS filespace unauthenticated just fine.  I can
> > successfully obtain tokens for an unmodified AFS.
> >
> > But authenticating to the KDC Server i got at first the error
> > The AFS Client was unable to obtain tokens as x30 in cell urz.uni-heidelberg.de
> > Error: 37 (unknown authentication error 37).
> >
> > This was an result of bad skewed times on Win and Kdc-Server (sol 7)
> > But after correctin this problem i got an expired token (!) with
> > expiration time 11:41:00 12/12/17 (!!!).
> > Has anyone an idea ?
> >
> > Thank for help.
> >
> > Elmar
> >
> > ------------------------------------------------------------------------
> > Dr. Elmar Abeln              email: Elmar.Abeln@URZ.Uni-Heidelberg.DE
> > Universitaetsrechenzentrum
> > Im Neuenheimer Feld 293            phone: +49 (6221) 54 4513
> > D 69120 Heidelberg         fax:   +49 (6221) 54 5581
> > ---------------------------------------------------------------------------
--------------E533805E765A875EF482F5E7
Content-Type: text/x-vcard; charset=us-ascii;
 name="ostrove.vcf"
Content-Transfer-Encoding: 7bit
Content-Description: Card for Steve Ostrove
Content-Disposition: attachment;
 filename="ostrove.vcf"

begin:vcard 
n:Ostrove;Steven M.
tel;fax:410-455-1065
tel;work:410-455-2992
x-mozilla-html:FALSE
org:University of Maryland Baltimore County;Office of Information Technology
version:2.1
email;internet:ostrove@umbc.edu
title:Desktop LAN Coordinator
adr;quoted-printable:;;1000 Hilltop Circle=0D=0AECS Bldg, Room 126E;Baltimore;Maryland;21250;
fn:Steven M. Ostrove
end:vcard

--------------E533805E765A875EF482F5E7--