KERBEROS FILES, used for both Kerberos Authentication, as well as AFS client files:

Run Kerb-AFS-setup.exe found on \aas107\appmedia\OpenAFS\

This will create a “c:\program files\kerberos” folder, and populate it with the latest Kerberos for Windows client.  It will also drop some shortcuts onto the All Users desktop, which are required for using the scripts to make use of Kerberos Authentication and passing those credentials to AFS, when logging into a machine.  It likewise drops a sample script to run, for adding a machine to the acpub.duke.edu Kerberos Realm.  (Machine needs to be registered with OIT first.  More instructions on this in “Kerberos-Authentication-Login.txt”)  It also drops one file used by the AFSDocs script, into the c:\windows\system32 folder.  This will need to be registered with Windows files, to work properly.  To do so, run “c:\program files\kerberos\old scripts\improvedbox.bat” .  This batch file will register this file for use by Windows and the script.

After running this Kerberos-AFS-setup.exe file, please add “C:\program files\kerberos to system path.

(If using Kerberos Authentication for login to machine you are building, please download a copy of ksetup.exe.  If you use our standard installation files, the “tools.exe” file will contain this file.  If you don’t use the tools.exe file, you’ll need to place ksetup.exe in your environment path, or run it from the location you store it.

INSTRUCTIONS FOR INSTALLATION OF AFS 1.3.7x CLIENT:

Run Installer:

Click NEXT

"AFS client", "MS Loopback Adapter", and "Supplemental Documentation" are checked by default.  I UNCHECK "Supplemental Documentation".  No harm in adding it, but it's not necessary for user.  MS Loopback Adapter take a while to install, and will need some additional tweaks when finished installing.  These will be noted later in the process.

Accept default path, and click NEXT:

This screen is critical.  For a first time setup, use the web address above.  <http://www.oit.duke.edu/sa/CellServDB> is the configuration file maintained by Duke for AFS installation.   (MACHINE NEEDS TO BE ONLINE TO USE THIS.  IF YOU CANNOT BE ONLINE, you can copy information from this site into a file named "CellServDB" stored locally, and use the last option, "Select a file".

On subsequent installs, if only updating the client, you can use the first option, "Use Existing CellServDB from a previous installation".

Once screen looks like above, click NEXT:

Next screen, enter AFS Cell Name field as "acpub.duke.edu".

Currently I have had greatest success in working with our AFS servers on campus by UNCHECKING all these options.  Defaults are to have the first three boxes checked. 

I'd like to get BACK to this as our default, but have had mixed success with the default settings.

When screen looks as above, click NEXT:

Again, with above screen, these are the current options with which I've had greatest success.

Default settings are to have all boxes checked, except the very last one.  Until our AFS servers are upgraded, and we're logging into a machine with our NetID and NOT being passed to a local account, we cannot use the first option.

When screen is configured as above, click INSTALL:

When installation is complete, it will give you this screen.  Check "I want to manually reboot later" and click FINISH, as there are some configurations of the Loopback adapter that need to be done before reboot.

When back at desktop, Right-Click on My Network Places, and select Properties.  You will get the window below:

We're going to modify the settings of "AFS", the loopback adapter.  Right-Click on this, and select Properties.

In this resulting window, you need to CHECK "Client for Microsoft Networks", and "File and Printer Sharing for Microsoft Networks".

Then, Highlight "Internet Protocol (TCP/IP), and click on Properties:

Resulting window is pre-configured as above.  This is an internally routable address only.  If you've got an internal network setup using 10.x.x.x, please select another internally routable address, to not conflict with your established network.  This address is to provide stability for the AFS service only, on the local machine.  You can use 192.168.x.x address, as long as you aren't using something like a Linksys router on this network.  You can also use 172.16.x.x.  Just avoid conflicting addresses.

Click on Advanced in the above window:

UNcheck "Register this connection's addresses in DNS. 

Click on WINS tab in window above:

"Enable NetBIOS over TCP/IP" should be checked by default.  If it is not, please do so. 

At this point, you're ready to reboot!

AFTER REBOOT:

I open up AFS client for some post installation configurations.  Click on Start | Settings | Control Panel | AFS Client Configuration:

First window:

Make sure “acpub.duke.edu” is registered here.  As long as setup was done correctly, this should be the case. 

In order to add one more piece of information to desktop, to ensure issuance of tokens, I check the box: “Show the AFS Client icon in the taskbar”.  This is not critical, but often useful.

Click on “Drive Letters” tab.  Nothing should show up here, when first configuring this.

If any drive mappings show up here, they should be as a result of scripts run to map Kerberos credentials to AFS credentials….

Click on “Preference” tab:

If your system is registering the AFS servers properly, these servers shown above will show up.  If these fields are blank, it may require running one of the scripts to actively contact the servers.  They do not always show up on initial start of AFS client….

Click on AFS Cells tab:

The “acpub.duke.edu” cell should be first in the list.  If it’s not, your configuration may have been done incorrectly at setup.  Reinstall client to correct.

Click on Advanced Tab:

Click on “Logon” button:

I alter default setting to YES, for “Fail Logins Silently”.  Otherwise, user gets feedback he doesn’t understand.

Click on Diagnostics button:

I change the “report session startups” to YES, so it will show up in event log, for diagnostics for problems.

All other settings for client, I leave at default.

No reboot is required at this point.

For AFS to work properly under XPsp2, and to work properly with the current versions of AFS servers deployed with OIT, there are a few registry settings to add for AFS configuration:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos]

"AllowTGTSessionKey"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters]

"AllowTGTSessionKey"=dword:00000001

 [HKEY_LOCAL_MACHINE\SOFTWARE\OpenAFS\Client]

"Use524"=dword:00000001

The last setting is only added in situations where you are having to convert kerb 5 tokens to kerb 4, for use with AFS.  (This is still the case with acpub AFS servers, so please add this one for now)

For mappings of AFS space, for use in our labs, and if the user wants to use the AFS client and these scripts, I’ve set up the following options:

start /B /HIGH /WAIT ms2mit.exe

START /B /HIGH /WAIT AKLOG.EXE -m

START /B /HIGH /WAIT AFSDRIVEMAP.VBS

The ms2mit.exe file will convert Microsoft Kerberos tickets to MIT tickets (to work with our servers correctly, which use MIT tickets).

“Aklog.exe –m” is one of the option switches.  “-m” means use krb524d.dll to convert Kerberos V tickets.   This is instead of running “k524init.exe” between ms2mit.exe and aklog.exe.

Alternatively, you can use aklog.exe -4, which will change default to use Kerberos IV tickets.  If you use “aklog.exe -4”, you need to run “k524init.exe” first.  (I’ve had better success using aklog.exe –m)

AFSDRIVEMAP.VBS is a script written by Rhett Butler, which uses tickets based on NetID login, and maps out drive mappings according to your NetID.  Works well, as long as AKLOG has provided proper tickets.

Desktop of All Users will have the following shortcuts, with the following functions:

AFS Drive Map: This shortcut will map out drives (H:, P:, and Q:)  based on the NetID of the logged in user.  If you want the sytem to automatically map drives out, on initial login, place this shortcut in the “Startup” folder for All Users.

AFS Disconnect:  This script will disconnect the H:, P:, and Q: drives, as mapped out by AFS script.   It will also run “unlog.exe”, which drops the current NetID tokens.  This is to permit additional individuals to run a script (AFSDocs) to map out network drives based on a user OTHER than the logged in user.  (This is used in labs where students share machines during a class session)

AFSDocs: Script used AFTER running AFS Disconnect, to permit mapping out network drives for other than the logged in user.  It will prompt for a username, then request that the password be entered in twice to confirm it.  It will then use these values to map out the drive.

Restart AFS Service:  This shortcut will run a batch file that will restart the AFS service, should it have died.  As long as the user has permission to run this shortcut, it will avoid them having to reboot the machine, should the service have indeed died or hung. (This does not appear to happen very frequently, since release of 1.3.7x client).

Trouble-shooting Kerberos Authentication (very rarely problematic)

If your local machine name keeps coming back up as default, rather than ACPUB.DUKE.EDU:

On any of your kerberized machines where you were seeing this problem, and they were converted from machines that were originally members of a domain, check for this key:

HKLM\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon\DomainCache

If this DomainCache key is there, delete it.  See if the flip-flopping doesn't stop.

There seems to be a value that replaces it, on machines that work correctly, found under:

HKLM\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon\

It's a string value titled "CachePrimaryDomain", with entry of AASNT, BIOLOGY, or whatever.  But, this string value does NOT cause any problems.

***************

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon

Under this key, there should be a string value of "CachePrimaryDomain"

and should have "AASNT" listed.

In cases where login reverts to local machine from realm, there is an

additional key under Winlogon, "DomainCache".  Under this are string

values of AASNT, BIOLOGY, POLYSCI, etc. 

TO FIX PROBLEM:

add string value under Winlogon, if not there, of "CachePrimaryDomain",

with entry for your domain "AASNT" in our case.

THEN, delete the key "DomainCache" and all values under it,

found under Winlogon key.

Trouble-shooting AFS client 

(Frequent issues, as client is a bit sensitive.  Please try these fixes before contacting me)

If errors with AFS scripts on login, verify the following:

1.  Is time synchronized with correct time.  Needs to be synced with Duke server (dukedns2.duke.edu).  Be sure your clock is set to use this server for time sync, and that you’ve got the proper time zone set up…

2.  Did AFS client service not start?  under Control Panel, start AFS Client config, and click on "Start" button.  If it still fails, try restarting machine.  If it fails after a restart, uninstall client, delete registry keys for AFS and reboot.  Delete c:\program files\OpenAFS folder, and reinstall client.

3.  Verify that user has entered correct ACPUB or NetID username and password.  If they have, they may need to run an SSH session, and run "passwd" to change their UNIX password.  They do not need to actually change the password, but it might need to be resynced with proper KDC server.  (Users can also open a browser, go to http://www.duke.edu/online and click on “Change Password” option.  User should be aware that if their password does not pass the “complexity check” at this stage, they will indeed need to pick a new password)

4.  In general, when in doubt, restart computer:-)