[OpenAFS-devel] Win2K bug in OpenAFS 1.2.0 token handling

James Peterson jimpeter@us.ibm.com
Thu, 20 Sep 2001 09:27:14 -0700


> There's a bug in OpenAFS 1.2.0 (and probably earlier versions) on
> Windows 2000 which allows users to use/steal other users' tokens.  In
> some environments this could be a serious security problem.

I'm working in the same area.  There was a bug (the GINA exception) having
to do with accessing AFS files in machine state.

Your problem may involve the SMB client.   If the client doesn't send the
correct UserName to the SMB server, the tokens won't be assigned correctly.
Tokens are associated by matching UserName and machine name at the time of
SMB server SessionStartup.

My guess it's either the SMB client not sending the correct UserName or a
bug in the AFS token association scheme.

Nevertheless, if you could include me in your search for the solution, I
would be most gracious.

James Peterson
"Integrity is the base of excellence."