[OpenAFS-devel] Multi-User Windows 2000 Token security
Marc Dionne
dionne@cs.wisc.edu
Wed, 03 Oct 2001 12:25:47 -0500
Shyh-Wei Luan wrote:
>
> The above scheme is sufficient for Windows NT because it keeps a
> single SMB session while the users is logged on. However, it is broken
> on Windows 2000 because Windows spontaneously starts new sessions with
> connected servers which essentially invalidate established User and
> Session Id's. User names are sent to the cache manager again in this
> process and the cache manager (the SMB server) needs to map these
> users to existing AFS tokens. This was not done in early versions of
> AFS Windows 2000 client, and users experienced lost tokens.
Interestingly, I noticed from looking at trace logs from IBM's 3.6-2.5
client that their SMB server does NOT receive multiple SessionSetup
requests for the same user, unlike the OpenAFS client. This suggests to
me that it is something specific to the OpenAFS client, and efforts
might be better spent figuring out why this is happening, rather than
trying to patch all the problems that it causes downstream. We should
maybe look at the SMB exchanges that occur before the SessionSetup calls
to see what triggers the different behaviour. It looks to me like most
(perhaps all) SessionSetup calls occur in OpenAFS when the user starts
accessing a different share. With IBM AFS, there's a TreeConnect call,
but no SessionSetup call in this situation.
Marc