[OpenAFS] Windows Terminal server and afs clients
Christopher D. Clausen
cclausen@acm.org
Sun, 13 Jun 2004 15:44:32 -0500
On Sunday, June 13, 2004 3:32p <matt@cs.auckland.ac.nz> wrote:
> Does anyone know if the windows afs client has the same token security
> issues if it has been installed on a terminal server. I can not seem
> to share anyone elses access rights no matter what I do (I tried all
> the methods posted to the mailing list). We unfortunately have to run
> TS next semester in the labs for some courses and our students have
> their home directories in AFS. At the moment if it is not secure we
> will have to run access to disk via our afs web portal.
I have had Windows 2003 Terminal Servers setup with OpenAFS (mostly
using 1.2.11) for over a year and have not seen ANY problems related to
token security. Although I have restricted access to "access this
computer from the network" to administrators to prevent normal users
from mapping shares. Not sure if this affects OpenAFS or not. Are the
vulnerabilities theoretical or has someone actually been able to inherit
access through a non-admin user account on the system?
I have noticed that normal users can run some commands that you might
not want them to, like fs setcrypt off. But this isn't really a problem
in my environment.
<<CDC
Christopher D. Clausen
ACM@UIUC SysAdmin