[OpenAFS-devel] Multi-User Windows 2000 Token security
Sam Hartman
hartmans@mekinok.com
27 Sep 2001 11:15:06 -0400
>>>>> "Leif" == Leif Johansson <leifj@it.su.se> writes:
Leif> On Wed, Sep 26, 2001 at 05:24:42PM -0700, James Peterson
Leif> wrote:
>> As others have mentioned there is a security problem with
>> Windows 2000 in a multi-user environment.
>>
>> The only work around is, for multi-user Windows 2000 configure
>> it so that all Logon require a restart.
>>
Leif> If we can trust the security (?) of the local filesystem we
Leif> could presumably replace klog with kinit+afslog (I am
Leif> temporarily ignoring the problems of getting a
Leif> multiuser-safe kerberos on windows) and do and afslog on
Leif> each smb session start. Would this be possible or have I
Leif> just assumed someting unrealistic, like access to windows
Leif> sources... ??
I don't think you need to trust local filesystem. I think you could
recompile kenh's aklog against a version of MIT Kerberos that supports
ccapi and have a solution for at least krb5.
This assumes you can know when the session starts of course.