[OpenAFS] Unable to prevent KAS from granting tickets to WIndows-Client

[johannes groener]

Hello,

I have problems dealing with an OpenAFS-installation at school. To set 
up an examination-environment, I need to prevent pupils from accessing 
their files using their own accounts (they get temporary accounts for 
this purpose).  This is managed by setting the NOTGS-flag wit kas, and 
works fine on linux-clients with either the OpenAFS-Client 1.2.8 or 
1.2.11 installed (server tested also with both this versions).
klog says: "Unable to authenticate to AFS because may not authenticate 
as this user."

When I ask for a token with windows-client 1.2.10 or 1.3.63, using gui 
or klog-command (no integrated login),  I get it. "kas examine" shows me 
the NOTGS-flag for the user.
I also tried to lock the user by exceeding his allowed attempts of 
unsuccessful authentications, then klog tells me "Unable to authenticate 
to AFS because ID is locked - see your system admin (KALOCKED)" on 
linux-clients, and also kas argues "User is locked forever", but I see 
no effects at the windows-client, still get tokens, still get access to 
personal files.

In all cases 
<http://dict.tu-chemnitz.de/dings.cgi?o=3003;count=50;service=en-de;query=circumstances>flushing 
the cache, unloging and rebooting the client-machine does not change 
circumstances. There is an account-manager installed on the 
windows-clients, wich in both versions recognizes the NOTGS-flag, does 
not show the status "locked" but can unlock the user.

The windows-clients run unpatched XP pro, and there are no other 
problems with the AFS-clients, but teachers who refuse to work with linux.

Is there anyone ho can tell me how to solve the problem, or has another 
idea how to lock user-accounts?

Greetings from old europe, Johannes