[OpenAFS] OpenAFS logon token problem...
Rodney M Dyer
rmdyer@uncc.edu
Mon, 11 Feb 2002 15:07:38 -0500
Hi,
As you have stated, my problem was that I need to be able to set the user's
logon token with AFS_SETTOK_LOGON because I'm running aklog.exe from within
the NPLogonNotify() routine of "afslogon.c". I grovel'ed through the code
of ka_UserAuthenticateGeneral2() and found that the aclient.smbname was
being set, either to a random string (in the case of high security SMB
option), or the user's name. You were correct in your assesment of my problem.
I have since fixed the problem by simply adding a single line of code to my
aklog source that will set the aclient.smbname before the ktc_SetToken()
call. This prevents the KTC_INVAL error. It is somewhat interesting to me
that the ktc_SetToken() call accepts the new value aclient.smbname as a
zero terminated string.
Thanks for your help.
Rodney
Rodney M. Dyer
PC Systems Programmer
College of Engineering Computing Services
University of North Carolina at Charlotte
Email rmdyer@uncc.edu
Phone (704)687-3518
Help Desk Line (704)687-3150
FAX (704)687-2352
Office 267 Smith Building
At 02:39 AM 2/8/02 -0800, you wrote:
>I believe the ktc_SetToken() call in aklog was affected by the "random SMB
>user name" code (for higher security specifically designed for shared
>workstations and telnet servers). Calling ktc_SetToken() with the
>AFS_SETTOK_LOGON would require passing in a random SMB user name generated
>by the caller. I believe kalog() does not do that. Does aklog really
>need to set the AFS_SETTOK_LOGON flag? I think AFS_SETTOK_LOGON is only
>to be set when Windows Integrated Logon is used.
>
>Unsetting AFS_SETTOK_LOGON flag when calling ktc_SetToken() by kalog seems
>to be ok.
>
>Shyh-Wei Luan
>
>
>
>Rodney M Dyer <rmdyer@uncc.edu>@openafs.org on 2002/02/07 03:26:28 PM
>
>Sent by: openafs-info-admin@openafs.org
>
>
>To: openafs-info@openafs.org
>cc:
>Subject: [OpenAFS] OpenAFS logon token problem...
>
>
>
>Hello,
>
>I've been using Transarc's version of AFS since it came out as a client for
>Microsoft NT. We are now migrating to a true kerberos 5 environment with
>OpenAFS clients. At user logon we've taken the "afslogon.c" code and
>modified only very slightly to shell out and perform a kinit, then
>aklog. Within the aklog code we simply modified the ktc_SetToken() call so
>that it would set the logon user's token with AFS_SETTOK_LOGON. This works
>fine under Transarc's version of AFS.
>
>We are now trying to switch to OpenAFS and are finding a problem. When we
>logon we get a dialog from the AKLOG code that says "Bad ticket length"
>which is equal to the define KTC_INVAL. If I don't try to use the
>AFS_SETTOK_LOGON define in ktc_SetToken() the AKLOG works fine under
>OpenAFS.
>
>Does anyone have any idea of what changed in OpenAFS's code tree that would
>effect the operation of the ktc_SetToken() call within AKLOG?
>
>Help is very much appreciated.
>
>Thanks,
>
>Rodney
>
>Rodney M. Dyer
>PC Systems Programmer
>College of Engineering Computing Services
>University of North Carolina at Charlotte
>Email rmdyer@uncc.edu
>Phone (704)687-3518
>Help Desk Line (704)687-3150
>FAX (704)687-2352
>Office 267 Smith Building
>
>_______________________________________________
>OpenAFS-info mailing list
>OpenAFS-info@openafs.org
>https://lists.openafs.org/mailman/listinfo/openafs-info
>
>
>
>_______________________________________________
>OpenAFS-info mailing list
>OpenAFS-info@openafs.org
>https://lists.openafs.org/mailman/listinfo/openafs-info