[OpenAFS] Questions regarding AFS ticket lifetime

Anders Magnusson ragge@ltu.se
Fri, 20 Apr 2012 15:25:13 +0200

On 04/20/2012 01:30 PM, Lars Schimmer wrote:
> On 20.04.2012 12:53, Anders Magnusson wrote:
>> On 04/20/2012 09:35 AM, Lars Schimmer wrote:
>>>>    From memory, during our Windows XP days (different OS, different
>>>> OpenAFS, different Network Identity Manager, different MIT Kerberos
>>>> for Windows), just locking and unlocking the computer refreshed the
>>>> AFS ticket.
>>>> How has this changed for Windows 7 and our current setup, as this
>>>> no longer seems to be working?
>>> Remember the 2 different credential caches of windows - one of system
>>> at login and one for NetworkID Manager.
>>> On Login you get a ticket/token with the Windows Builtin credential
>>> cache which CANNOT be accessed by Network ID Manager.
>>> Only after you obtained a token manual in NetworkID manager it renews
>>> the token automatic and you can set the token lifetime with Network ID
>>> manager.
>> The problem is:
>> 1) Automatic renewal of the tgt by NiM do not work on Windows 7.  It did
>> on XP.
>> 2) Letting NiM fetch a new tgt when the user unlocks the screen do not
>> work.  It did on XP.
> Windows 7 is not Windows XP, MS changed a lot based on security and user
> management.
> Read the OpenAFS release notes about obtaining tokens on login:
> http://www.openafs.org/dl/openafs/1.7.10/winxp/ReleaseNotes/html/ch03s06.html
> "Integrated Logon will not transfer Kerberos v5 tickets into the user's
> logon session credential cache. This is no longer possible on Vista and
> Windows 7."
Yes, I have seen that, but that do not explain the behaviour since I 
have no wish to fetch thingd from MSLSA.
Integrated logon works, but fetching new krbtgt at unlock of the login 
window does not.
And BTW, importing tickets from MSLSA to API seems to work (pressing 
import button).

-- Ragge

>> It gives a bad user experience to tell them that they need to fetch
>> stuff manually,
>> since they did not need to do so on XP but now on Windows 7.  Therefore
>> we need to
>> find out what is wrong since this was not a problem before (with XP).
> It is a security precaution situation made by MS. Go and ask MS to
> change it.
>> -- Ragge
> MfG,
> Lars Schimmer