w.r.t. #3...

our afs cell name is different than the Kerberos realm our users use to
login (and both of these are different than the name of the Active
Directory domain).

So, our AD domain is AD.CNF.CORNELL.EDU

but users don't login to AD.CNF.CORNELL.EDU when logging into windows...
they instead login to the Kerberos Realm of CIT.CORNELL.EDU. So, windows
uses a cross realm login. And, our afs cell is "cnf.cornell.edu", so the
pts users themselves are also cross realm (requiring a
system:authu...@cit.cornell.edu pts group) .

On Thu, 2010-06-10 at 12:26 +0200, Michael Richter wrote:
> 1. yes
> 2. yes
> 3. I'm not sure what cross-realm is. We have the "real" windows domain 
> and a kerberos domain which is the same in background. If you login with 
> the "real" domain you get 2 tokens, one for the real domain and one for 
> the kerberos domain. And you need the kerberos domain ticket to access 
> the AFS share.
> 
> schrieb Dave B:
> > We skipped over vista...
> >
> > A few questions...
> >
> > 1. are you doing integrated login?
> > 2. are the computers in a domain?
> > 3. are you doing cross-realm mit kerberos logins?
> >
> > On Wed, 2010-06-09 at 16:39 +0200, Michael Richter wrote:
> >> We have 32 Vista notebooks (same software and configuration) and on 3 of
> >> them we have exact the same problem. I couldn't find a difference
> >> between these machines so it's a strange problem.
> >>
> >>
> >> Dave B<bot...@cnf.cornell.edu>  schrieb am Wed, 09.06.2010 um 15:50:
> >>> Anyone else seen this have any thoughts?
> >>>
> >>> This is one of those annoying can't reproduce on command might happen
> >>> many times in a day then not for a couple of weeks type of bugs.
> >>>
> >>> I don't know that this issue is afs related but am being asked to
> >>> investigate that possibility. We have had both oafs 1.5.65 and oafs
> >>> 1.5.74 on Windows 7, both 32 and 64-bit. Win7 machines in a domain,
> >>> cross realm MIT Kerberos login (except for the Administrative user).
> >>> Integrated login attempted.
> >>>
> >>> After putting in the username and password, sometimes the machine will
> >>> "hang" at the "Welcome" message (the little blue wheel keeps spinning).
> >>>
> >>> If the hang involves a cross realm Kerberos user, pslist -t \\machine
> >>> does not show a mpnotify or krbcc32s running as subprocesses of the
> >>> logonui process. Process auditing would appear to show that mpnotify
> >>> never fired off. I can pskill logonui and get back to the ctrl-alt-del
> >>> login screen but the computer will just hang, again (a reboot by
> >>> pressing the reset button seems to fix it for a while).
> >>>
> >>> If the hang has involved Administrator (not in MIT Kerberos) in the
> >>> domain, pslist -t \\machine *does* show mpnotify and krbcc32s both
> >>> running.
> >>>
> >>> I've turned on both the afsd_service TraceOption and the Microsoft user
> >>> profile logging... nothing was ever logged in the log files, at least
> >>> when a MIT cross realm Kerberos user was involved. I have not
> >>> specifically managed to have both logging and an Administrator hang
> >>> happen yet, as I can't reproduce this on command.
> >>>
> >>> Thoughts on where the issue might be and things to check out?
> >>>
> >>> thanks!
> >>>
> _______________________________________________
> OpenAFS-info mailing list
> OpenAFS-info@openafs.org
> https://lists.openafs.org/mailman/listinfo/openafs-info
-- 
********************************
David William Botsch
Programmer/Analyst
CNF Computing
bot...@cnf.cornell.edu
********************************


_______________________________________________
OpenAFS-info mailing list
OpenAFS-info@openafs.org
https://lists.openafs.org/mailman/listinfo/openafs-info

Reply via email to