[OpenAFS] OpenAFS logon token problem...

Rodney M Dyer rmdyer@uncc.edu
Mon, 11 Feb 2002 15:07:38 -0500 

Hi,

As you have stated, my problem was that I need to be able to set the user's 
logon token with AFS_SETTOK_LOGON because I'm running aklog.exe from within 
the NPLogonNotify() routine of "afslogon.c".  I grovel'ed through the code 
of ka_UserAuthenticateGeneral2() and found that the aclient.smbname was 
being set, either to a random string (in the case of high security SMB 
option), or the user's name.  You were correct in your assesment of my problem.

I have since fixed the problem by simply adding a single line of code to my 
aklog source that will set the aclient.smbname before the ktc_SetToken() 
call.  This prevents the KTC_INVAL error.  It is somewhat interesting to me 
that the ktc_SetToken() call accepts the new value aclient.smbname as a 
zero terminated string.

Thanks for your help.

Rodney

Rodney M. Dyer
PC Systems Programmer
College of Engineering Computing Services
University of North Carolina at Charlotte
Email rmdyer@uncc.edu
Phone (704)687-3518
Help Desk Line (704)687-3150
FAX (704)687-2352
Office  267 Smith Building

At 02:39 AM 2/8/02 -0800, you wrote:

>I  believe the ktc_SetToken() call in aklog was affected by the "random SMB
>user name" code (for higher security specifically designed for shared
>workstations and telnet servers).  Calling ktc_SetToken() with the
>AFS_SETTOK_LOGON would require passing in a random SMB user name generated
>by the caller.  I believe kalog() does not do that.   Does aklog really
>need to set the AFS_SETTOK_LOGON flag?   I think AFS_SETTOK_LOGON is only
>to be set when Windows Integrated Logon is used.
>
>Unsetting AFS_SETTOK_LOGON flag when calling ktc_SetToken() by kalog seems
>to be ok.
>
>Shyh-Wei Luan
>
>
>
>Rodney M Dyer <rmdyer@uncc.edu>@openafs.org on 2002/02/07 03:26:28 PM
>
>Sent by:    openafs-info-admin@openafs.org
>
>
>To:    openafs-info@openafs.org
>cc:
>Subject:    [OpenAFS] OpenAFS logon token problem...
>
>
>
>Hello,
>
>I've been using Transarc's version of AFS since it came out as a client for
>Microsoft NT.  We are now migrating to a true kerberos 5 environment with
>OpenAFS clients.  At user logon we've taken the "afslogon.c" code and
>modified only very slightly to shell out and perform a kinit, then
>aklog.  Within the aklog code we simply modified the ktc_SetToken() call so
>that it would set the logon user's token with AFS_SETTOK_LOGON.  This works
>fine under Transarc's version of AFS.
>
>We are now trying to switch to OpenAFS and are finding a problem.  When we
>logon we get a dialog from the AKLOG code that says "Bad ticket length"
>which is equal to the define KTC_INVAL.  If I don't try to use the
>AFS_SETTOK_LOGON define in ktc_SetToken() the AKLOG works fine under
>OpenAFS.
>
>Does anyone have any idea of what changed in OpenAFS's code tree that would
>effect the operation of the ktc_SetToken() call within AKLOG?
>
>Help is very much appreciated.
>
>Thanks,
>
>Rodney
>
>Rodney M. Dyer
>PC Systems Programmer
>College of Engineering Computing Services
>University of North Carolina at Charlotte
>Email rmdyer@uncc.edu
>Phone (704)687-3518
>Help Desk Line (704)687-3150
>FAX (704)687-2352
>Office  267 Smith Building
>
>_______________________________________________
>OpenAFS-info mailing list
>OpenAFS-info@openafs.org
>https://lists.openafs.org/mailman/listinfo/openafs-info
>
>
>
>_______________________________________________
>OpenAFS-info mailing list
>OpenAFS-info@openafs.org
>https://lists.openafs.org/mailman/listinfo/openafs-info