[OpenAFS] Unable to prevent KAS from granting tickets to WIndows-Client

Derrick J Brashear shadow@dementia.org
Tue, 27 Apr 2004 11:11:43 -0400 (EDT)

It's been a while, but you should be able to use expires NOW and expires
NEVER to lock and unlock accounts; I think this was set with kas setf but
I don't remember for sure.

NOTGS was probably never implemented for krb4 (as opposed to ka)

On Tue, 27 Apr 2004, johannes groener wrote:

> Hello,
> I have problems dealing with an OpenAFS-installation at school. To set
> up an examination-environment, I need to prevent pupils from accessing
> their files using their own accounts (they get temporary accounts for
> this purpose).  This is managed by setting the NOTGS-flag wit kas, and
> works fine on linux-clients with either the OpenAFS-Client 1.2.8 or
> 1.2.11 installed (server tested also with both this versions).
> klog says: "Unable to authenticate to AFS because may not authenticate
> as this user."
> When I ask for a token with windows-client 1.2.10 or 1.3.63, using gui
> or klog-command (no integrated login),  I get it. "kas examine" shows me
> the NOTGS-flag for the user.
> I also tried to lock the user by exceeding his allowed attempts of
> unsuccessful authentications, then klog tells me "Unable to authenticate
> to AFS because ID is locked - see your system admin (KALOCKED)" on
> linux-clients, and also kas argues "User is locked forever", but I see
> no effects at the windows-client, still get tokens, still get access to
> personal files.
> In all cases
> <http://dict.tu-chemnitz.de/dings.cgi?o=3003;count=50;service=en-de;query=circumstances>flushing
> the cache, unloging and rebooting the client-machine does not change
> circumstances. There is an account-manager installed on the
> windows-clients, wich in both versions recognizes the NOTGS-flag, does
> not show the status "locked" but can unlock the user.
> The windows-clients run unpatched XP pro, and there are no other
> problems with the AFS-clients, but teachers who refuse to work with linux.
> Is there anyone ho can tell me how to solve the problem, or has another
> idea how to lock user-accounts?
> Greetings from old europe, Johannes
> _______________________________________________
> OpenAFS-info mailing list
> OpenAFS-info@openafs.org
> https://lists.openafs.org/mailman/listinfo/openafs-info