[OpenAFS] OpenAFS/Kerberos Windows client
Christopher D. Clausen
Sat, 23 Aug 2008 14:46:52 -0500
Karen L Eldredge <firstname.lastname@example.org> wrote:
> I'm not real familiar with Windows, because I mostly work on AIX or
> Linux. AIX and Linux have the tool k5start that can be used to run
> scheduled (cron) jobs by accessing the principal's password via a
> keytab file. Is there something similar for Windows?
I use the "at" command to create scheduled tasks that run as the local
SYSTEM user. These tasks automatically have access to the SYSTEM host
principal ( COMPUTERNAME$@REALM ) in the MSLSA cache for machines joined
to Active Directory. You can then just have your script run aklog to
obtain tokens (provided you create a PTS entry for the SYSTEM user.)
Windows will auto-renew the tickets so you'd just need to periodically
obtain new tokens. I don't have jobs that run long enough to need to
If you want to run a job as a particular user, the same thing applies,
only you have to actually enter the user's password to create the job.
The user's Kerberos credentials are accessible in the same way.
In theory you could write a short script that does the same thing as
k5start but I'm not sure what it will gain you. The hard part of
renewing tickets / tokens is handled by Windows if you are using Active