[OpenAFS] Questions regarding AFS ticket lifetime (fwd)

Jeffrey Altman jaltman@secure-endpoints.com
Fri, 20 Apr 2012 09:41:27 -0400

This is an OpenPGP/MIME signed message (RFC 2440 and 3156)
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

On Friday, April 20, 2012 8:33:09 AM, Stephen Joyce wrote:
> On Fri, 20 Apr 2012, Lars Schimmer wrote:
>>> The problem is:
>>> 1) Automatic renewal of the tgt by NiM do not work on Windows 7.  It
>>> did
>>> on XP.
>>> 2) Letting NiM fetch a new tgt when the user unlocks the screen do no=
>>> work.  It did on XP.
>> Windows 7 is not Windows XP, MS changed a lot based on security and us=
>> management.
>> Read the OpenAFS release notes about obtaining tokens on login:
>> http://www.openafs.org/dl/openafs/1.7.10/winxp/ReleaseNotes/html/ch03s=
>> "Integrated Logon will not transfer Kerberos v5 tickets into the user'=
>> logon session credential cache. This is no longer possible on Vista an=
>> Windows 7."
> I thought the gotcha above was only true if UAC was turned on AND the
> user in question was an admin.
>  "On Windows Vista, Windows 7, and Windows Server 2008 the operating
> system does not permit the importation of the Kerberos Ticket Granting
> Ticket if the active user account is a member of the Administrators or
> Domain Administrators groups and User Account Control (UAC) mode is
> active."
> <https://www.secure-endpoints.com/netidmgr/v2/docs/netidmgr/html/config=
> Have you tried ticket importing as a non-admin user and/or with UAC
> off? It must still be configured in the NIM options, of course.
> Cheers, Stephen

This is not a UAC issue.  This is related to the lack of a logon and=20
logoff event handler in Vista and beyond.

Jeffrey Altman

Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

Version: GnuPG v1.4.9 (MingW32)