[OpenAFS] OpenAFS 1.2.2b and "normal" security

Shyh-Wei Luan luan@almaden.ibm.com
Fri, 1 Feb 2002 12:40:09 -0800


OpenAFS Windows NT/2000/XP client (an SMB server implementation) uses maps
<user name, machine name> pairs to AFS tokens.  This approach works fine
for single user machines; however, for multi-user machines like a public
workstation or a telnet server, a user can break this security simply by
choosing to connect to an SMB share using a different user name.  The
random user names approach addresses this problem.

Terminal servers do not need to use the random user names feature as it
does not allow one user to use another user's name when connecting with SMB
shares.

The main reason for changing the default installation to not using random
user names was because we believed that the feature was unnecessary for
most client setups.   The other reason was that the random user names
feature did not work automatically on XP (although it worked on NT and
2000) and needed some porting work.

Shyh-Wei Luan

Jason Garman <jgarman@wedgie.org>@openafs.org on 02/01/2002 11:32:25 AM

Please respond to jgarman@wedgie.org

Sent by:    openafs-info-admin@openafs.org


To:    openafs-info@openafs.org
cc:
Subject:    [OpenAFS] OpenAFS 1.2.2b and "normal" security



I see that the new setting on OpenAFS Windows clients as of 1.2.2b is
*not* to generate random user-names for the SMB redirector.  As I
understood, the random usernames were added to increase security on
multi-user Citrix or Terminal Server machines.  Since I'm running the
client on Citrix Metaframe servers, I should keep the random usernames,
correct?  Is there some reason that this functionality is no longer the
default?

Thanks
--
Jason Garman / jgarman@wedgie.org
_______________________________________________
OpenAFS-info mailing list
OpenAFS-info@openafs.org
https://lists.openafs.org/mailman/listinfo/openafs-info