[OpenAFS] Windows clients and kpwvalid

David R Boldt dboldt@usgs.gov
Mon, 18 Mar 2002 11:52:32 -0500


This is a multipart message in MIME format.
--=_alternative 005CB37385256B80_=
Content-Type: text/plain; charset="us-ascii"

We are (mostly) using IBM/Transarc's AFS, and are trying to implement some
minimal rules on passwords.  Unix clients go through kpwvalid, But Windows
clients from IBM do not;  email below from IBM:

---------------------------------------------------------------------------------------------------
Develoment went through the source code and noted that
we do not support password validation for Windows, which
we already knew.

What Development did note is the reason being that
the function init_child() in file kkids.c does
nothing in NT. In UNIX this is the place where we call the
kpwvalid stuff.

#ifdef AFS_NT40_ENV
/* We don't allow the use of kpwvalid executable scripts
to set policy
* for passwd changes.
*/
int init_child(char *myname)
{

 using_child = 0;
 return using_child;

}
#else /* !NT40 */

Development did some preliminary analysis regarding the scope
of changes which we'll need to do to implement this, and
it has been decided that we will not pursue this at this time.
The changes needed would affect the binaries kpasswd and the
kas command suite.

---------------------------------------------------------------------------------------------------

Does this inexplicable policy also hold for the OpenAFS release of
the Windows clients?    If the OpenAFS Windows clients use kpwvalid,
this would be a major incentive for us to switch to openAFS for these 
clients.

                                          -- David Boldt
                                             <dboldt@usgs.gov>

--=_alternative 005CB37385256B80_=
Content-Type: text/html; charset="us-ascii"


<br><font size=2 face="sans-serif">We are (mostly) using IBM/Transarc's AFS, and are trying to implement some</font>
<br><font size=2 face="sans-serif">minimal rules on passwords. &nbsp;Unix clients go through kpwvalid, But Windows</font>
<br><font size=2 face="sans-serif">clients from IBM do not; &nbsp;email below from IBM:</font>
<br>
<br><font size=2 face="sans-serif">---------------------------------------------------------------------------------------------------</font>
<br><font size=2><tt>Develoment went through the source code and noted that<br>
we do not support password validation for Windows, which<br>
we already knew.<br>
<br>
What Development did note is the reason being that<br>
the function init_child() in file kkids.c does<br>
nothing in NT. In UNIX this is the place where we call the<br>
kpwvalid stuff.<br>
<br>
#ifdef AFS_NT40_ENV<br>
/* We don't allow the use of kpwvalid executable scripts<br>
to set policy<br>
* for passwd changes.<br>
*/<br>
int init_child(char *myname)<br>
{<br>
<br>
 using_child = 0;<br>
 return using_child;<br>
<br>
}<br>
#else /* !NT40 */<br>
<br>
Development did some preliminary analysis regarding the scope<br>
of changes which we'll need to do to implement this, and<br>
it has been decided that we will not pursue this at this time.<br>
The changes needed would affect the binaries kpasswd and the<br>
kas command suite.</tt></font>
<br>
<br><font size=2 face="sans-serif">---------------------------------------------------------------------------------------------------</font>
<br>
<br><font size=2 face="sans-serif">Does this inexplicable policy also hold for the OpenAFS release of</font>
<br><font size=2 face="sans-serif">the Windows clients? &nbsp; &nbsp;If the OpenAFS Windows clients use kpwvalid,</font>
<br><font size=2 face="sans-serif">this would be a major incentive for us to switch to openAFS for these clients.</font>
<br><font size=2 face="sans-serif"><br>
 &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;-- David Boldt<br>
 &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &lt;dboldt@usgs.gov&gt;<br>
</font>
--=_alternative 005CB37385256B80_=--