[info-afs] Windows/NIM/AFS plugin config question
Neil Brian Tweedy
tweedy@umich.edu
Wed, 1 Aug 2007 19:53:17 -0400 (EDT)
Hi,
So. The distilled question is
Can I configure the OpenAFS plugin for NIM to renew tokens ONLY for
Identities of the form "something@UMICH.EDU"? Or at least to NOT try
with Identities of the form "something@ADSROOT.ITCS.UMICH.EDU"?
At UMich one can authenticate directly to the UMICH.EDU krb5 service and get
Windows tickets through trust. However, the trust is one-way, ADSROOT tickets
won't get anything from UMICH.EDU. We have some users in the ADSROOT Domain
with no UMICH.EDU principal and I'd like to let them authenticate to ADSROOT
and not have NIM/AFS try to get AFS creds since using the ADSROOT ticket will
fail due to the one-way trust. Just to avoid presenting the error message to
users.
The config GUI hasn't got me there though it looks like it should. That is:
Options -> Identities -> chair-aeron@ADSROOT.ITCS.UMICH.EDU -> AFS ->
[ ] Obtain AFS Credentials
UNchecking this box does nothing for me. Seems like that must not be
right. I haven't found the piece(s) of Registry to do it either. Barring
stupid errors of course... Since this is for an automated build I'd
most want the registry info.
For the record - KfW 3.2.0 and OAFS 1.5.19. I have NIM logs if anyone is
interested in the error ("Credentials could not be obtained for cell umich.edu"
in a window referencing Identity user@ADSROOT.ITCS.UMICH.EDU). At login
once NIM has started. krb5.ini is pointing at UMICH.EDU.
So I'm looking for a quick hint.
thanks
neil
--
Neil Tweedy
Mathematics Computer Group
math-systems@umich.edu / (734) 763-6521
----------------------------------------------------------------------