Getting WinXP to authenticate to a MIT Kerberos5 KDC and use AFS, all with single-sign-on, is not too difficult. However it does not appear to be completely (or correctly) documented anywhere.
You will need a correctly configured Kerberos5 domain and AFS server, which is probably its own set of headaches. I havn't done that; it was already setup correctly. I simply connected a WinXP client. The OpenAFS network here is using Kerberos5 natively. There is no 5to4 type things going on.
Software I used:
The overall process:
Some useful background reading, if you care:
To authenticate your WinXP client against an external MIT Kerberos5 server, you need:
The host principal (called a "machine account" by Microsoft) is needed by WinXP. If this is absent or incorrect, you cannot login. I'm not sure what WinXP uses the host prinicipal for; perhaps it is some form of mutual authentication, where WinXP uses the machine account to protect against a fake domain controller.
The host principle must be encrypted with the des-cbc-crc method; nothing else seems to work. Yeah, I know, its a really weak encryption method. If you want to use a random password (which is probably reccomended), make sure you write it down; you need to type this into the WinXP client too. This restriction on encryption methods applies only to the host principal; my own user principal is encypted with with des3-cbc-sha1 method, and that works just fine.
The local account on the WinXP client is part of the odd "trust" relationship that ends up in place between the Kerberos5 domain and the WinXP client. The client maps the Kerberos principal to a local account for the purposes of file permissions, group membership, and so on. (The stuff typically kept in ldap). I added myself the "Administrators" built-in group, and did not worry about it; AFS enforces its own permissions.
The host prinicipal is added using the kadmin tool like any regular Kerberos5 principal:
kadmin q "addprinc -edes-cbc-crc:normal pw {passwd} host/{fqdn}"
On the WinXP client, execute the following in a command prompt window:
ksetup /setdomain {REALM} ksetup /setmachpassword {passwd} ksetup /mapuser * *
If you have working SRV records for Kerberos, you can omit this step. Otherwise, you need to also:
ksetup /addkdc {REALM} {kdc}
Finally you must reboot your WinXP client. When it starts up again, you should hopefully have the option to login to your Kerberos realm. Even better, if you did everything right, it should work! Woohoo!
One page links to WinXP+Krb5+AFS: