[OpenAFS] Windows Terminal server and afs clients

Christopher D. Clausen cclausen@acm.org
Sun, 13 Jun 2004 15:44:32 -0500


On Sunday, June 13, 2004 3:32p <matt@cs.auckland.ac.nz> wrote:
> Does anyone know if the windows afs client has the same token security
> issues if it has been installed on a terminal server. I can not seem
> to share anyone elses access rights no matter what I do (I tried all
> the methods posted to the mailing list). We unfortunately have to run
> TS next semester in the labs for some courses and our students have
> their home directories in AFS. At the moment if it is not secure we
> will have to run access to disk via our afs web portal.

I have had Windows 2003 Terminal Servers setup with OpenAFS (mostly 
using 1.2.11) for over a year and have not seen ANY problems related to 
token security.  Although I have restricted access to "access this 
computer from the network" to administrators to prevent normal users 
from mapping shares.  Not sure if this affects OpenAFS or not.  Are the 
vulnerabilities theoretical or has someone actually been able to inherit 
access through a non-admin user account on the system?

I have noticed that normal users can run some commands that you might 
not want them to, like fs setcrypt off.  But this isn't really a problem 
in my environment.

<<CDC
Christopher D. Clausen
ACM@UIUC SysAdmin