[OpenAFS] Questions regarding AFS ticket lifetime

Jeffrey Altman jaltman@secure-endpoints.com
Fri, 20 Apr 2012 09:40:06 -0400

This is an OpenPGP/MIME signed message (RFC 2440 and 3156)
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable


If you configure the default credential cache to be MSLSA: then the LSA=20
credentials will be used.

The functionality (an explorer shell logon hook) that was used to copy=20
credentials at logon no longer exists on Vista and later versions of=20
the operating system.  Since the functionality does not exist, the=20
functions exported from kfwlogon.dll do not get executed and no=20
Kerberos tickets can be copied in to the API: credential cache.

I have plans to build a new in kernel credential cache mechanism using=20
the AFS Authentication Groups available in the 1.7.x series.  I have no=20
available resources at the moment to implement it and I can't make a=20
commitment as to when I will.

At the moment afslogon.dll will obtain a new AFS token at logon, but it=20
will not be renewable.

Jeffrey Altman

On Friday, April 20, 2012 9:25:13 AM, Anders Magnusson wrote:

> Yes, I have seen that, but that do not explain the behaviour since I
> have no wish to fetch thingd from MSLSA.
> Integrated logon works, but fetching new krbtgt at unlock of the login
> window does not.
> And BTW, importing tickets from MSLSA to API seems to work (pressing
> import button).
> -- Ragge

Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

Version: GnuPG v1.4.9 (MingW32)