Discussion:
[OpenAFS] aklog/wake on Windows 2003 Terminal Server ?
Holger Brückner
2003-12-05 16:04:24 UTC
Permalink
Hello,

i'm trying to run the openafs 1.2.10 client under windows 2003 terminal
server. i already read about serveral problems regarding tokens nad
drive mappings ... but that is another problem.

i can login with a trust on a mit server and succesfully get the krbtgt
ticket for a user account. the ticket is copied to the mit cache via
ms2mit/wake. unfortunately aklog won't work then. no debug output at
all. it just does nothing. no request for the afs ticket in the kdc
logs. it works with the administrator account though.

any hints why aklog could behave like this ?

thanks

Holger Brueckner
net-labs Systemhaus GmbH
Holger Brückner
2003-12-05 15:53:27 UTC
Permalink
Hello,

i'm trying to run the openafs 1.2.10 client under windows 2003 terminal
server. i already read about serveral problems regarding tokens nad
drive mappings ... but that is another problem.

i can login with a trust on a mit server and succesfully get the krbtgt
ticket for a user account. the ticket is copied to the mit cache via
ms2mit/wake. unfortunately aklog won't work then. no debug output at
all. it just does nothing. no request for the afs ticket in the kdc
logs. it works with the administrator account though.

any hints why aklog could behave like this ?

thanks

Holger Brueckner
net-labs Systemhaus GmbH
Holger Brückner
2003-12-10 10:59:32 UTC
Permalink
This post might be inappropriate. Click to display it.
Holger Brückner
2003-12-10 12:05:07 UTC
Permalink
some more information:

the openafs client doesn't work correctly when i use the mit kdc for
password authentication (this windows server has a trust on a mit kdc
for single sign on).
symptom: i don't see any volume/file server preferences in the advanced
configuration tab.

it works correctly when i'm authenticate against the windows domain
(same user).

any further suggestions ?

terminal server is running windows 2003 server standard with all
available hotfixes.

thanks a lot

Holger Brueckner
net-labs Systemhaus GmbH
Post by Holger Brückner
Hello,
first thanks to all who replied. unfortunately
rodneys afsk5log and christophers advice to set
HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters\AllowTgtSessionKey = 1 (REG_DWORD) didn't help.
it seems to me that the root of the problem is an error in the client
configuration. as a user i didn't have a cell configuration. now after
adding this manualy the client isn't showing any file server/volume
server preferences in the configuration tab. it seems like it's not
trying to contact a fileserver at all. (it still works as administrator)
i'll have to dig into this a little bit further. if anybody knows what
to do please reply :)
Holger Brueckner
net-labs Systemhaus GmbH
Post by Holger Brückner
Hello,
i'm trying to run the openafs 1.2.10 client under windows 2003 terminal
server. i already read about serveral problems regarding tokens nad
drive mappings ... but that is another problem.
i can login with a trust on a mit server and succesfully get the krbtgt
ticket for a user account. the ticket is copied to the mit cache via
ms2mit/wake. unfortunately aklog won't work then. no debug output at
all. it just does nothing. no request for the afs ticket in the kdc
logs. it works with the administrator account though.
any hints why aklog could behave like this ?
thanks
Holger Brueckner
net-labs Systemhaus GmbH
_______________________________________________
OpenAFS-info mailing list
https://lists.openafs.org/mailman/listinfo/openafs-info
_______________________________________________
OpenAFS-info mailing list
https://lists.openafs.org/mailman/listinfo/openafs-info
Jeffrey Altman
2003-12-10 14:13:43 UTC
Permalink
If you are logging into Windows via a MIT KDC then Windows is going to
look to the KDC for service principals to authenticate to local SMB
services. Look in the KDC log for unknown service principal errors.
You are going to need to install additional service principals in the
KDC to support the proper operation of Windows.

Jeffrey Altman
Post by Holger Brückner
the openafs client doesn't work correctly when i use the mit kdc for
password authentication (this windows server has a trust on a mit kdc
for single sign on).
symptom: i don't see any volume/file server preferences in the advanced
configuration tab.
it works correctly when i'm authenticate against the windows domain
(same user).
any further suggestions ?
terminal server is running windows 2003 server standard with all
available hotfixes.
thanks a lot
Holger Brueckner
net-labs Systemhaus GmbH
Christopher D. Clausen
2003-12-10 14:30:21 UTC
Permalink
I have Windows 2003 machines setup with a trust to a MIT Kerberos Realm
for single sign-on and users succesfully receive tickets and then tokens
by a logon script that simply runs Doug Engert's gssklog (although it
required some modifications to the Kerberos libraries on the server that
runs gssklogd).

I made no modifications to the trusted MIT realm for AFS, as I had no
permission to do so. I do have gssklog service principals added to the
Windows domain so that gssklog works correctly.

In theory, you should be able to do the same thing using ms2mit and then
aklog, although I have not fully tested it. Or do you have an aklog
that reads the Microsoft credentials cache?

On 2003 server, you probably want to copy /y C:\windows\afs*
%userprofile%\windows in a logon script to ensure that each user has a
copy of the AFS config files. (I wish this was moved to the registry.)
Windows 2003 maintains a seperate "Windows" directory per-user to enable
per-user settings on programs that write config files to C:\windows.
There are issues with AFS because the service runs as SYSTEM and
afscreds runs as a user. They look in different places. Hopefully, you
installed AFS from "install mode" (run change user /install from a cmd
prompt).

<<CDC
Christopher D, Clausen
Post by Jeffrey Altman
If you are logging into Windows via a MIT KDC then Windows is going to
look to the KDC for service principals to authenticate to local SMB
services. Look in the KDC log for unknown service principal errors.
You are going to need to install additional service principals in the
KDC to support the proper operation of Windows.
Jeffrey Altman
Post by Holger Brückner
the openafs client doesn't work correctly when i use the mit kdc for
password authentication (this windows server has a trust on a mit kdc
for single sign on).
symptom: i don't see any volume/file server preferences in the
advanced configuration tab.
it works correctly when i'm authenticate against the windows domain
(same user).
any further suggestions ?
terminal server is running windows 2003 server standard with all
available hotfixes.
thanks a lot
Holger Brueckner
net-labs Systemhaus GmbH
Holger Brückner
2003-12-10 14:51:36 UTC
Permalink
hello,

your users are loggin into windows with their own client workstation ?
this works perfectly here. what doesn't work is using a rdp client to
use windows 2003 terminal services.

it works if i'm loggin into terminal services authenticating against
the windows kdc. then issue a kinit && aklog.

what i really would like to have is logging into windows terminal
services via mit kdc, then do a ms2mit and aklog (wake is capable of
doing this during startup) :)
Post by Christopher D. Clausen
I have Windows 2003 machines setup with a trust to a MIT Kerberos Realm
for single sign-on and users succesfully receive tickets and then tokens
by a logon script that simply runs Doug Engert's gssklog (although it
required some modifications to the Kerberos libraries on the server that
runs gssklogd).
I made no modifications to the trusted MIT realm for AFS, as I had no
permission to do so. I do have gssklog service principals added to the
Windows domain so that gssklog works correctly.
In theory, you should be able to do the same thing using ms2mit and then
aklog, although I have not fully tested it. Or do you have an aklog
that reads the Microsoft credentials cache?
On 2003 server, you probably want to copy /y C:\windows\afs*
%userprofile%\windows in a logon script to ensure that each user has a
copy of the AFS config files. (I wish this was moved to the registry.)
Windows 2003 maintains a seperate "Windows" directory per-user to enable
per-user settings on programs that write config files to C:\windows.
There are issues with AFS because the service runs as SYSTEM and
afscreds runs as a user. They look in different places. Hopefully, you
installed AFS from "install mode" (run change user /install from a cmd
prompt).
<<CDC
Christopher D, Clausen
Post by Jeffrey Altman
If you are logging into Windows via a MIT KDC then Windows is going to
look to the KDC for service principals to authenticate to local SMB
services. Look in the KDC log for unknown service principal errors.
You are going to need to install additional service principals in the
KDC to support the proper operation of Windows.
Jeffrey Altman
Post by Holger Brückner
the openafs client doesn't work correctly when i use the mit kdc for
password authentication (this windows server has a trust on a mit kdc
for single sign on).
symptom: i don't see any volume/file server preferences in the
advanced configuration tab.
it works correctly when i'm authenticate against the windows domain
(same user).
any further suggestions ?
terminal server is running windows 2003 server standard with all
available hotfixes.
thanks a lot
Holger Brueckner
net-labs Systemhaus GmbH
_______________________________________________
OpenAFS-info mailing list
https://lists.openafs.org/mailman/listinfo/openafs-info
Holger Brückner
2003-12-10 16:57:38 UTC
Permalink
Hello again,

with the help of christopher i digged through this a litte bit further:

Systems involved:

Window 2003 Terminal Server Standard
Rose-Hulmans Wake 2.5
Rose-Hulmans MIT Distribution (for this Wake version)
OpenAFS Client 1.3.5100

everything reinstall after putting terminal server in install mode with
the command
change user /install
afterwards
change user /execute
reboot

logon script:

copy /Y %SystemRoot%\afs*.ini "%USERPROFILE%\WINDOWS"
sleep 5
start c:\Programme\Wake\Wake.exe /ms2mit /background /aklog
pause

i still have the problem that servers don't show up in preference tab
under client configuration right after i log on. after restarting the
afs client servers show up and i'm able to get a token with wake or
aklog.exe

i can't map any drives though. im my krb5kdc log i'm getting request for
principals of the form:

Dec 10 17:22:24 management.net-labs.local krb5kdc[20737](info): AS_REQ
(2 etypes {3 1}) 10.0.0.13: CLIENT_NOT_FOUND:
***@NET-LABS.LOCAL for krbtgt/NET-***@NET-LABS.LOCAL,
Client not found in Kerberos database
Dec 10 17:43:27 management.net-labs.local krb5kdc[20737](info): AS_REQ
(2 etypes {3 1}) 10.0.0.13: CLIENT_NOT_FOUND:
***@NET-LABS.LOCAL for krbtgt/NET-***@NET-LABS.LOCAL,
Client not found in Kerberos database

principal name changes after every logon.

questions:

what are these principals and how do i get rid of them ?
what can i to not have to restart the service when i logon ?

thanks for any help so far

Holger Brueckner
net-labs Systemhaus GmbH
Post by Holger Brückner
Hello,
i'm trying to run the openafs 1.2.10 client under windows 2003 terminal
server. i already read about serveral problems regarding tokens nad
drive mappings ... but that is another problem.
i can login with a trust on a mit server and succesfully get the krbtgt
ticket for a user account. the ticket is copied to the mit cache via
ms2mit/wake. unfortunately aklog won't work then. no debug output at
all. it just does nothing. no request for the afs ticket in the kdc
logs. it works with the administrator account though.
any hints why aklog could behave like this ?
thanks
Holger Brueckner
net-labs Systemhaus GmbH
_______________________________________________
OpenAFS-info mailing list
https://lists.openafs.org/mailman/listinfo/openafs-info
Jeffrey Altman
2003-12-10 17:14:32 UTC
Permalink
Sounds like you turned High Security mode on. In High Security mode,
random user names are created for the drive shares (mount points) to
ensure that
other users on the same machine cannot access them by guessing the names
of other logged in users.

High Security mode is set in the registry when the

HKLM\SYSTEM\CurrentControlSet\Services\TransarcAFSDaemon\Parameters
LogonOption

has the 2 bit set.

#define LOGON_OPTION_INTEGRATED 1
#define LOGON_OPTION_HIGHSECURITY 2

Jeffrey Altman
Post by Holger Brückner
i can't map any drives though. im my krb5kdc log i'm getting request for
Dec 10 17:22:24 management.net-labs.local krb5kdc[20737](info): AS_REQ
Client not found in Kerberos database
Dec 10 17:43:27 management.net-labs.local krb5kdc[20737](info): AS_REQ
Client not found in Kerberos database
Holger Brückner
2003-12-10 17:39:22 UTC
Permalink
hmmm, i didn't have that key.
adding it an setting it to 0x01 (REG_DWORD) didn't help.

any idea why drive mapping doesn't work ? or is this the
reason why it won't work ? (connecting to the smb service without proper
username/authentification) ?

Holger Brueckner
Post by Jeffrey Altman
Sounds like you turned High Security mode on. In High Security mode,
random user names are created for the drive shares (mount points) to
ensure that
other users on the same machine cannot access them by guessing the names
of other logged in users.
High Security mode is set in the registry when the
HKLM\SYSTEM\CurrentControlSet\Services\TransarcAFSDaemon\Parameters
LogonOption
has the 2 bit set.
#define LOGON_OPTION_INTEGRATED 1
#define LOGON_OPTION_HIGHSECURITY 2
Jeffrey Altman
Jeffrey Altman
2003-12-10 17:48:45 UTC
Permalink
Are you sure that you are using 1.3.5x?

The reason it is not working is because Windows cannot get the credentials
it needs from the MIT KDC.
Post by Holger Brückner
hmmm, i didn't have that key.
adding it an setting it to 0x01 (REG_DWORD) didn't help.
any idea why drive mapping doesn't work ? or is this the
reason why it won't work ? (connecting to the smb service without proper
username/authentification) ?
Holger Brueckner
Jeffrey Altman
2003-12-10 18:06:14 UTC
Permalink
Sorry, I got the registry key wrong. Its


HKLM\SYSTEM\CurrentControlSet\Services\TransarcAFSDaemon\NetworkProvider
LogonOptions

#define LOGON_OPTION_INTEGRATED 1
#define LOGON_OPTION_HIGHSECURITY 2
Post by Jeffrey Altman
Are you sure that you are using 1.3.5x?
The reason it is not working is because Windows cannot get the
credentials
it needs from the MIT KDC.
Post by Holger Brückner
hmmm, i didn't have that key.
adding it an setting it to 0x01 (REG_DWORD) didn't help.
any idea why drive mapping doesn't work ? or is this the reason why
it won't work ? (connecting to the smb service without proper
username/authentification) ?
Holger Brueckner
Holger Brückner
2003-12-10 18:16:20 UTC
Permalink
hmmmm,

setting value to 0x01:

flag Obtain AFS tokens when loggin into Windows is set
client won't restart (no servers in preferences tab)

unsetting obtain afs tokens .. (key value gets 0x00)
client won't restart

setting it to 0x02
client will restart (servers in preference tabs)
but random users get requested and no drive mapping.

Holger Brueckner
Post by Jeffrey Altman
Sorry, I got the registry key wrong. Its
HKLM\SYSTEM\CurrentControlSet\Services\TransarcAFSDaemon\NetworkProvider
LogonOptions
#define LOGON_OPTION_INTEGRATED 1
#define LOGON_OPTION_HIGHSECURITY 2
Post by Jeffrey Altman
Are you sure that you are using 1.3.5x?
The reason it is not working is because Windows cannot get the credentials
it needs from the MIT KDC.
Post by Holger Brückner
hmmm, i didn't have that key.
adding it an setting it to 0x01 (REG_DWORD) didn't help.
any idea why drive mapping doesn't work ? or is this the reason why
it won't work ? (connecting to the smb service without proper
username/authentification) ?
Holger Brueckner
Holger Brückner
2003-12-10 18:07:07 UTC
Permalink
Post by Jeffrey Altman
Are you sure that you are using 1.3.5x?
well client config says AFS Version 1.3.5100

registry says:

HKLM\SOFTWARE\TransarcCorportation\AFS Client\1.3.5100\Version String
1.3.5100

install file was:
OpenAFSforWindows-20031209.exe (from your public afs directory)

so i guess it's 1.3.5100 ;)
Post by Jeffrey Altman
The reason it is not working is because Windows cannot get the credentials
it needs from the MIT KDC.
maybe there is something wrong im my MIT configuration ?
after logging into terminal server i have the following keys:

MIT cache:

Ticket cache: FILE:C:\DOCUME~1\darks\LOCALS~1\Temp\2\krb5cc
Default principal: ***@NET-LABS.LOCAL

Valid starting Expires Service principal
12/10/03 17:08:46 12/11/03 03:08:46
krbtgt/NET-***@NET-LABS.LOCAL
renew until 12/17/03 17:08:46
12/10/03 17:08:49 12/11/03 03:08:46 ***@NET-LABS.LOCAL
renew until 12/17/03 17:08:46


Microsoft Cache:

Cached Tickets: (4)

Server: krbtgt/WINDOWS.NET-***@NET-LABS.LOCAL
KerbTicket Encryption Type: Kerberos DES-CBC-CRC
End Time: 12/11/2003 3:08:46
Renew Time: 12/17/2003 17:08:46


Server: krbtgt/NET-***@NET-LABS.LOCAL
KerbTicket Encryption Type: Unknown (16)
End Time: 12/11/2003 3:08:46
Renew Time: 12/17/2003 17:08:46


Server: cifs/WTS-***@NET-LABS.LOCAL
KerbTicket Encryption Type: Unknown (16)
End Time: 12/11/2003 3:08:46
Renew Time: 12/17/2003 17:08:46


Server: host/wts.windows.net-***@WINDOWS.NET-LABS.LOCAL
KerbTicket Encryption Type: RSADSI RC4-HMAC(NT)
End Time: 12/11/2003 3:08:46
Renew Time: 12/17/2003 17:08:46


Holger Brueckner
net-labs Systemhaus GmbH
Jeffrey Altman
2003-12-10 18:15:04 UTC
Permalink
The problem was the NSIS installer was turning on High Security Logon
Option mode.
What it wanted to be activating was "crypt" mode which is set via the
SecurityLevel
parameter key.

grab the OpenAFSforWindows-20031210.exe installer

Jeffrey Altman
Post by Holger Brückner
Post by Jeffrey Altman
Are you sure that you are using 1.3.5x?
well client config says AFS Version 1.3.5100
HKLM\SOFTWARE\TransarcCorportation\AFS Client\1.3.5100\Version String
1.3.5100
OpenAFSforWindows-20031209.exe (from your public afs directory)
so i guess it's 1.3.5100 ;)
Holger Brückner
2003-12-17 13:50:17 UTC
Permalink
Hello,

first good news, today i got it working. i never would have found a
solution if the same symptom wouldn't have occured on my w2k
workstation. (client 1.2.10)

i had to remove

cifs/WTS-***@NET-LABS.LOCAL
(this key was added using
addprinc -randkey -e des-cbc-crc:normal cifs/WTS-***@NET-LABS.LOCAL )

from the kdc. now i get "Server not found ind Kerberos database"
messages. but the client is working ok, and i can get afs tokens using
mit aklog.exe or wake.

if i add the key to the kdc and logon to windows the client won't show
any volume/fileservers in it's preferences tab under client
configuration.

could someone explain this behaviour ?!?

thanks to anyone who helped

Holger Brueckner
net-labs Systemhaus GmbH
Post by Holger Brückner
Hello,
i'm trying to run the openafs 1.2.10 client under windows 2003 terminal
server. i already read about serveral problems regarding tokens nad
drive mappings ... but that is another problem.
i can login with a trust on a mit server and succesfully get the krbtgt
ticket for a user account. the ticket is copied to the mit cache via
ms2mit/wake. unfortunately aklog won't work then. no debug output at
all. it just does nothing. no request for the afs ticket in the kdc
logs. it works with the administrator account though.
any hints why aklog could behave like this ?
thanks
Holger Brueckner
net-labs Systemhaus GmbH
_______________________________________________
OpenAFS-info mailing list
https://lists.openafs.org/mailman/listinfo/openafs-info
Loading...