[OpenAFS] Windows Logon Scripts

Christopher D. Clausen cclausen@acm.org
Tue, 6 Dec 2005 13:29:20 -0600

Mike Bydalek wrote:
> One of the caveats to using the Kerberos logins is that you need a
> local account, which contains a local profile.

Uhh, you do NOT need local accounts.  You can use an Active Directory 
Domain and correctly set a domain trust to the MIT Realm.  Such a trust 
exists between UIUC.EDU (MIT) -> AD.UIUC.EDU (MS AD) -> ACM.UIUC.EDU 
(MIT).  These AD accounts also have the user accounts setup to have 
@UIUC.EDU principals for each account in order for the trust to work.  I 
didn't set that part up, so I'm not sure how to do it, but it is 

Perhaps I am not understanding your setup though.  To you WANT to use 
local accounts?  Do you have Active Directory setup already?

> All I want to do is just have one additional drive map to
> /afs/.../home/%USERNAME% when a user logs in, and redirect the desktop
> and "My Documents" (Start with the basics).

I use group policy (setup through AD) to perform "folder redirection" 
(Policy -> User configuration -> Folder Redirection) to 
\\AFS\acm.uiuc.edu\user\%USERNAME%\Desktop paths.  It seems to work the 
majority of the time for most users.  (I think you need to set 
system:anyuser l in the directory, but I could be wrong.)

If users are in the appropriate group, they obtain tokens at login 
through the OpenAFS integrated login functionality and the 
desktop/documents gets redirected when they login.

You can also use group policy to set login scripts (and possibly even 
have said login script in AFS.)

Christopher D. Clausen