[OpenAFS] Unable to prevent KAS from granting tickets to WIndows-Client

johannes groener rpts@volxwerk.net
Tue, 27 Apr 2004 17:36:22 +0200

Thank You. It works (kas setfields -name [name] -expiration [NOW | NEVER])!
Not fine that klog says "Unable to authenticate to AFS because password 
has expired (KAPWEXPIRED)" on linux now, but I can stand it ...

Derrick J Brashear schrieb:

>It's been a while, but you should be able to use expires NOW and expires
>NEVER to lock and unlock accounts; I think this was set with kas setf but
>I don't remember for sure.
>NOTGS was probably never implemented for krb4 (as opposed to ka)
>On Tue, 27 Apr 2004, johannes groener wrote:
>>I have problems dealing with an OpenAFS-installation at school. To set
>>up an examination-environment, I need to prevent pupils from accessing
>>their files using their own accounts (they get temporary accounts for
>>this purpose).  This is managed by setting the NOTGS-flag wit kas, and
>>works fine on linux-clients with either the OpenAFS-Client 1.2.8 or
>>1.2.11 installed (server tested also with both this versions).
>>klog says: "Unable to authenticate to AFS because may not authenticate
>>as this user."
>>When I ask for a token with windows-client 1.2.10 or 1.3.63, using gui
>>or klog-command (no integrated login),  I get it. "kas examine" shows me
>>the NOTGS-flag for the user.
>>I also tried to lock the user by exceeding his allowed attempts of
>>unsuccessful authentications, then klog tells me "Unable to authenticate
>>to AFS because ID is locked - see your system admin (KALOCKED)" on
>>linux-clients, and also kas argues "User is locked forever", but I see
>>no effects at the windows-client, still get tokens, still get access to
>>personal files.
>>In all cases
>>the cache, unloging and rebooting the client-machine does not change
>>circumstances. There is an account-manager installed on the
>>windows-clients, wich in both versions recognizes the NOTGS-flag, does
>>not show the status "locked" but can unlock the user.
>>The windows-clients run unpatched XP pro, and there are no other
>>problems with the AFS-clients, but teachers who refuse to work with linux.
>>Is there anyone ho can tell me how to solve the problem, or has another
>>idea how to lock user-accounts?
>>Greetings from old europe, Johannes
>>OpenAFS-info mailing list
>OpenAFS-info mailing list