[OpenAFS] OpenAFS/Kerberos Windows client

Christopher D. Clausen cclausen@acm.org
Sat, 23 Aug 2008 14:46:52 -0500

Karen L Eldredge <keldredg@us.ibm.com> wrote:
> I'm not real familiar with Windows, because I mostly work on AIX or
> Linux. AIX and Linux have the tool k5start that can be used to run
> scheduled (cron) jobs by accessing the principal's password via a
> keytab file.  Is there something similar for Windows?

I use the "at" command to create scheduled tasks that run as the local 
SYSTEM user.  These tasks automatically have access to the SYSTEM host 
principal ( COMPUTERNAME$@REALM ) in the MSLSA cache for machines joined 
to Active Directory.  You can then just have your script run aklog to 
obtain tokens (provided you create a PTS entry for the SYSTEM user.) 
Windows will auto-renew the tickets so you'd just need to periodically 
obtain new tokens.  I don't have jobs that run long enough to need to 
renew tokens.

If you want to run a job as a particular user, the same thing applies, 
only you have to actually enter the user's password to create the job. 
The user's Kerberos credentials are accessible in the same way.

In theory you could write a short script that does the same thing as 
k5start but I'm not sure what it will gain you.  The hard part of 
renewing tickets / tokens is handled by Windows if you are using Active