[OpenAFS] Multiple tokens on Windows.
Jan Johansson
janj+openafs@wenf.org
Mon, 25 Apr 2005 12:24:41 +0200
Jeffrey Altman <jaltman@columbia.edu> wrote:
> Tokens obtained via the AFS SysTray tool are auto-renewed by
> the SysTray tool but Leash will only auto-renew for one cell.
> Tokens for multiple cells can be obtained using the same
> Kerberos 5 principal without entering a password in the AFS
> SysTray tool. (See afs-install-notes.txt)
>
> Tokens for both cells can be obtained during integrated login
> using the "TheseCells" registry setting. (See registry.txt)
Oki, then I think I know what my problem is. Can you please just
check that I got the facts right.
As the users login using an external KDC trust the initial
tickets are stored in the MSLSA.
afscreds.exe will find and use the TGT from the MSLSA and use
this to get tokens for the cells specified in the TheseCells
registry setting.
afscreds.exe will renew tokens as needed finding updated TGTs
(after user unlocks screen) in MSLSA.
I do not need to have leash running.
(The local AFS cell is missing some part of 2b.)
The reason I get tokens for central and a login dialog for local
is that 2b is not working for local.
In UNIX I can workaround the broken 2b by setting 'afs-use-524 =
local' in krb5.conf there is no such setting in OpenAFS/Kerberos
for Windows.