Differences between current version and revision by previous author of WinXP+Krb5+AFS.
Other diffs: Previous Major Revision, Previous Revision, or view the Annotated Edit History
| Newer page: | version 6 | Last edited on Tuesday, September 5, 2006 10:43:11 pm | by PerryLorier | |
| Older page: | version 4 | Last edited on Tuesday, September 5, 2006 10:04:34 pm | by GuyThornley | Revert |
@@ -1,7 +1,7 @@
Getting WinXP to authenticate to a MIT [Kerberos5] KDC and use [AFS], all with single-sign-on, is not too difficult. However it does not appear to be completely (or correctly) documented anywhere.
-You will need a correctly configured Kerberos5 domain and AFS server, which is probably its own set of headaches. I havn
't done that; it was already setup correctly. I simply connected a WinXP client. The OpenAFS network here is using Kerberos5 natively. There is no krb524 type things going on.
+You will need a correctly configured Kerberos5 domain and AFS server, which is probably its own set of headaches. I haven
't done that; it was already setup correctly. I simply connected a WinXP client. The OpenAFS network here is using Kerberos5 natively. There is no krb524 type things going on.
Software I used:
* WindowsXP Pro, service pack 2
* MIT Kerberos for Windows (KfW) 3.0 from [http://web.mit.edu/Kerberos/dist/index.html]
@@ -10,9 +10,9 @@
As of Sep 5 2006, new versions of KfW and the OpenAFS NetIDMgr plugin are available. You must always get the OpenAFS NetIDMgr plugin built for the version of KfW you are installing.
The approach documented here is a very basic configuration with some caveats:
-* This does not use Active Directory (ldap), the client still needs a user account
+* This does not use Active Directory (ldap), the client still needs a local
user account
* This cannot use NT roaming profiles
The overall process:
# Get WinXP to authenticate to MIT Kerberos5 domain
@@ -73,9 +73,9 @@
Once you have installed KfW, start the Network Identity Manager. Use the <tt>View -> Layout -> By Location</tt> menu sequence; you should see some credentials under the <tt>MSLSA:</tt> location. It may have already imported them, too; I cant remember the default configuration. If you select the <tt>MSLSA:</tt> credential, and use the <tt>Credential -> Import Credentials</tt> menu option you'll get Kerberos API credentials, which are called <tt>API:</tt> credentials in the list.
Open up the NetIDMgr configuration dialogue using the <tt>Options -> General</tt> menu option. Under the "Kerberos 5" tree item, there is an "Import Tickets" option. Set it to "always".
-We arn
't quite finished with this yet, we'll be coming back to it later.
+We aren
't quite finished with this yet, we'll be coming back to it later.
!!!Installing OpenAFS client for WinXP
Installing the OpenAFS client asks you a few questions:
# You are given the option of installing AFS' own MS Loopback interface. I must have done this when I first installed OpenAFS; now I have a strange "AFS" network adapter with the IP address 10.254.254.253 with netmask 255.255.255.252. If this bugs you, try unchecking it. The strange thing is that 127.0.0.1 still seems to work, dispite not being bound to any network adapter (!).
