[OpenAFS] Questions regarding AFS ticket lifetime

Lars Schimmer l.schimmer@cgv.tugraz.at
Fri, 20 Apr 2012 13:30:00 +0200

On 20.04.2012 12:53, Anders Magnusson wrote:
> On 04/20/2012 09:35 AM, Lars Schimmer wrote:
>>>  From memory, during our Windows XP days (different OS, different
>>> OpenAFS, different Network Identity Manager, different MIT Kerberos
>>> for Windows), just locking and unlocking the computer refreshed the
>>> AFS ticket.
>>> How has this changed for Windows 7 and our current setup, as this
>>> no longer seems to be working?
>> Remember the 2 different credential caches of windows - one of system
>> at login and one for NetworkID Manager.
>> On Login you get a ticket/token with the Windows Builtin credential
>> cache which CANNOT be accessed by Network ID Manager.
>> Only after you obtained a token manual in NetworkID manager it renews
>> the token automatic and you can set the token lifetime with Network ID
>> manager.
> The problem is:
> 1) Automatic renewal of the tgt by NiM do not work on Windows 7.  It di=
> on XP.
> 2) Letting NiM fetch a new tgt when the user unlocks the screen do not
> work.  It did on XP.

Windows 7 is not Windows XP, MS changed a lot based on security and user
Read the OpenAFS release notes about obtaining tokens on login:

"Integrated Logon will not transfer Kerberos v5 tickets into the user's
logon session credential cache. This is no longer possible on Vista and
Windows 7."

> It gives a bad user experience to tell them that they need to fetch
> stuff manually,
> since they did not need to do so on XP but now on Windows 7.  Therefore
> we need to
> find out what is wrong since this was not a problem before (with XP).

It is a security precaution situation made by MS. Go and ask MS to
change it.

> -- Ragge

Lars Schimmer
TU Graz, Institut f=FCr ComputerGraphik & WissensVisualisierung
Tel: +43 316 873-5405       E-Mail: l.schimmer@cgv.tugraz.at
Fax: +43 316 873-5402       PGP-Key-ID: 0x4A9B1723