[OpenAFS-devel] W2000 Token authentication problems
James Peterson
jimpeter@us.ibm.com
Wed, 6 Jun 2001 15:54:03 -0700
W2000 Patches in Progress.
We will enum through the lana list and add netbios name to each lana (as
Microsoft recommends). It will no longer be necessary to enter the correct
Lana number in the Advanced Tab.
Fix integrated log on. Issue is that during logon klog is done in OS
context and therefore any SMB communication (pioctle calls) doesn't have a
user name or password associated with it.
Token authentication is really about binding the correct token list to the
correct user/machine/LSN. It seems that Windows 2000 can create multiple
sessions per user (in addition to the multiple user id's per session).
This causes it to loose tokens when new sessions are created. The creation
of multiple sessions seems to happen frequently on W2K terminal server and
occasionally on W2K professional. This is particular critical if DOS
windows are used.
The patch we have decided to try is to create a global user list (instead
of a user list per LSN, logical Session Number) . This would make the
assignment of tokens by userName/machineName rather than by LSN. If this
patch works then we can add security by doing a one way hash of the
userName/machineName.
Since blank user name is also used frequently, we would reserve userID 0
for blank user names and it would never have a token list associated with
it.
I expect to finish early next week.
James Peterson
"Integrity is the base of excellence."