[OpenAFS] Integrated logon and locking/unlocking workstatations

Ryan L. Means rmeans@law.berkeley.edu
Tue, 28 Oct 2008 14:37:46 -0700

Good afternoon,

We are just starting to use AFS here at the School of Law at UC 
Berkeley. Everything seems to be working well with OpenAFS for Windows 
and the integrated logon functionality that grabs a Kerberos 5 ticket 
and then the AFS token. Unfortunately, it seems that when a user locks 
their workstation, leaves for longer than the 10 hour ticket expiration 
period, and then comes back, the ticket and token have expired and the 
act of unlocking the workstation doesn't get another set.

We do have an abnormal setup here where there are two realms, one MIT, 
one AD. The passwords are synchronized between the realms, but the user 
does log into their workstation using the AD identity and access AFS 
resources with the MIT identity. So far, with the integrated login, this 
hasn't been a problem. Is this locking/unlocking issue caused by the 
split realms, or is there another force at work?

Thanks to anyone who can help!