[OpenAFS] Windows Terminal server and afs clients

Christopher D. Clausen cclausen@acm.org
Tue, 15 Jun 2004 02:38:16 -0500

On Monday, June 14, 2004 7:26p <jhutz@cmu.edu> wrote:
> On Monday, June 14, 2004 19:21:32 -0400 Derek Atkins <warlord@MIT.EDU>
> wrote:
>> Jeffrey Altman <jaltman@columbia.edu> writes:
>>>      - setcrypt
>> For setcrypt, IMHO a non-root (non-admin) user should be allowed to
>> go up, but not down.  E.g., a user should be allowed to turn crypto
>> protection on, but not off.  I'm not sure if the Unix client allows
>> that...
> I disagree.  This is a system-wide setting, and changing it in either
> direction has implications.  A user turning this on would cause the
> system to consume resources which do not belong to him.
> It would be nice to have a per-PAG flag indicating whether encrypted
> connections should be used.  But we don't have that today.

Would it be possible to have a registry key that determines if normal 
users can run the fs commands?  I personally do not care if a user wants 
encryption or not if it is a single user system (Windows XP, Windows 
2000 Professional).  Mostly because transfering large files with 
encryption on from a slow maachine will take much longer, 4-5x in my 
environment.  If a user has large quantities of data they are 
transfering they should have the option to turn encryption off.  Now, if 
it is a multiple-user system (Windows 2003, Windows 200 Server) where 
the results would affect multiple users, the administrators should 
determine if encryption is on or not.

Christopher D. Clausen