[OpenAFS] UAC in Windows 7 prevents importing Kerberos TGT to NIM

Erik Dalén erik.dalen@mensa.se
Mon, 11 Apr 2011 10:51:00 +0200

On Tue, Apr 5, 2011 at 23:07, Jeffrey Altman
<jaltman@secure-endpoints.com> wrote:
> You have two choices.  Disable UAC or stop using an account that is =
> member of the Administrators Group for day to day operations.  I wou=
> choose the latter.
> Jeffrey Altman
> On 4/5/2011 4:51 PM, Jonathan Nilsson wrote:
>> Hello,
>> I'm running Windows 7 Professional 64-bit, joined to an Active Directory=
>> which is my Kerberos REALM for my OpenAFS cell. Everything works fine, b=
ut I
>> have recently noticed that when I login with a domain account, Network I=
>> Manager does not seem to be automatically getting an AFS token. It just =
>> a password prompt for my Kerberos "identity" as it calls it.
>> I did some searching and found this page in the NIM docs which seems to =
>> my situation:
>> http://www.secure-endpoints.com/netidmgr/v2/docs/netidmgr/html/config_k5=
>> which about half way down the page has this paragraph:
>> "On Windows Vista, Windows 7, and Windows Server 2008 the operating syst=
em does
>> not permit the importation of the Kerberos Ticket Granting Ticket if the=
>> user account is a member of the Administrators or Domain Administrators =
>> and User Account Control (UAC) mode is active."
>> My domain account is a member of the local computer's Administrators gro=
up. Is
>> there any workaround besides completely disabling UAC?
>> In the mean time I removed my account from the local "Administrators" gr=
oup, and
>> NIM works again.

Would it be possible to do the import but with an UAC prompt?

Erik Dalén