[OpenAFS] AFS tokens when logging in on Windows clients

Jeffrey Altman jaltman@your-file-system.com
Wed, 15 Feb 2012 17:31:44 -0500

This is an OpenPGP/MIME signed message (RFC 2440 and 3156)
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

If "LogonOptions" is set to 0, there is nothing configured to obtain AFS
tokens.  If tokens are obtained by Network Identity Manager, it will be
when Network Identity Manager performs an auto-renewal which is not at a
specific time.  Obtaining AFS Tokens at logon time is performed by
winlogon.exe/mpnotify.exe when it calls the NPLogonNotify() function of
the afslogon.dll.

Jeffrey Altman

On 2/15/2012 5:18 PM, John Perkins wrote:
> We've found our Windows 7 systems are reliable about obtaining kerberos=

> tickets when users login at our site (all user accounts are
> authenticated against an MIT kerberos KDC during login).
> Obtaining AFS tokens at the same time is not as reliable.  Going into
> Network Identity Manager and renewing credentials typically will obtain=

> tokens.  Running aklog will obtain tokens.  90-95% of the time tokens
> are obtained.  This is with
> HKLM\SYSTEM\CurrentControlSet\Services\TransarcAFSDaemon\NetworkProvide=
> set to "0".
> I'm experimenting with setting the LogonOptions setting to "1" to see i=
> that clears up this issue.  If having LogonOptions set to "1" is still
> necessary to reliably get AFS tokens generated at login time, I'm
> surprised we saw it work so often in the past with this registry key se=
> to "0".
> Any other suggestions to ensure users receive AFS tokens at login time?=

> John
> _______________________________________________
> OpenAFS-info mailing list
> OpenAFS-info@openafs.org
> https://lists.openafs.org/mailman/listinfo/openafs-info

Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

Version: GnuPG v1.4.9 (MingW32)