[OpenAFS-devel] [Win] Status of remote logins

Franco "Sensei" Sensei <senseiwa@tin.it>
Fri, 25 Feb 2005 12:09:35 -0600 

This is an OpenPGP/MIME signed message (RFC 2440 and 3156)
--------------enig545F2092487E8D692D41B367
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit

Jeffrey Altman wrote:
> You do not seem to understand how integrated login works.  You login to
> Windows and Windows finds the account.  The account indicates where the
> profile is located including the User's Registry Hive.  Windows calls
> the network provider to enable the provider to obtain credentials to
> access network services in case they are required to load the profile.
> Windows then loads the profile.

Yes, I know it...

> There is no interaction by anything provided by MIT KFW or OpenAFS which
> can determine what the account is and where its profile is located. Now
> you can map a Kerberos 5 principal to a local account via the registry
> and you can point the profile for that account to AFS, but you can't
> use a non-Windows Kerberos 5 principal to define a new account.

...and the interaction is what I'd like. Loggin into windows should be 
something a la pam_krb5afs + ldap, without AD. Somehow, active directory 
makes remote users possible, no mapping at all since no local account is 
needed on the local machine. Is it possible to create something I'm 
describing? They do it (with AD kerberos as you pointed, but it's always 
kerberos), we can do it (probably). How to retrieve where the profile is 
located, is a matter of ldap, so we could be able to use ldap is some 
way, so they do with AD.

I'm not telling that it is possible here and now with the tools we have 
(kfw and openafs client), but I'm asking if you think it would be 
possible and/or useful.

-- 
Sensei <mailto:senseiwa@tin.it> <pgp:8998A2DB>
        <icqnum:241572242>
        <yahoo!:sensei_sen>
        <msn-id:sensei_sen@hotmail.com>

--------------enig545F2092487E8D692D41B367
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFCH2nj4LBKhYmYotsRAlY9AJ0bz8xctBlF7gC8U5kZxxFHuUQBzQCfdakE
tCG9mbOoqHA0H+FHQysT7tI=
=2fQj
-----END PGP SIGNATURE-----

--------------enig545F2092487E8D692D41B367--