David Bear wrote: >> Does your NIM identity for the Windows principal have a configuration >> stating it should obtain AFS tokens? I bet that is what is failing. > > I don't know what a NIM identity is or how to check for it. Any > pointers? What version of KFW are you using? Network Identity Manager ships in version 3.0 and above.
I have links to the documentation for NIM accessible from http://www.secure-endpoints.com/#Network%20Identity%20Manager > I do know there is a cross realm trust from our AD domain to our MIT > realm. (please note when I speak of MIT realm, its NOT MIT -- its > just a true MIT based kerb realm) > This is only relevant if you want to be able to use the Windows logon name [EMAIL PROTECTED] to obtain the AFS tokens for the cell asu.edu. Note that [EMAIL PROTECTED] is not the same as [EMAIL PROTECTED] There are things that you can do to enable the asu.edu to treat both names as the same but let's not go there right now. Its not relevant to your question. >> KFW will use DNS SRV lookups to obtain the data for the Windows Active >> Directory realm if you don't include them in the krb5.ini file. > > I have verified that we use dsn records for our afs servers DNS AFSDB records are not the same as DNS SRV records for Kerberos. DNS SRV records will be of the form _kerberos._udp.windows.asu.edu SRV _kerberos._tcp.windows.asu.edu SRV where "windows.asu.edu" is the lowercase version of whatever your realm Windows domain name is. Active Directory always publishes these records. I don't know if you are using Active Directory for your DNS or not though. I know that you do not have have SRV records for your ASU.EDU realm. Jeffrey Altman Secure Endpoints Inc. Jeffrey Altman Secure Endpoints Inc.
smime.p7s
Description: S/MIME Cryptographic Signature
________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
