[OpenAFS] Integrated logon and locking/unlocking workstatations

Jeffrey Altman jaltman@secure-endpoints.com
Tue, 28 Oct 2008 16:36:58 -0700


Ryan L. Means wrote:
> Jeffrey Altman wrote:
>> There is no notification to any process that is running that
>> the MSLSA obtained new Kerberos v5 tickets OR a hook that would
>> obtain the user's name/password during unlocking to use to request
>> a new TGT and AFS token.
> 
> So you're saying there really isn't any way to do the same thing on
> unlock that happens on login. Can you think of any other way to solve or
> work around this problem besides just telling the user to log out
> instead of locking? Unfortunately, they won't buy having to type in
> their password twice every time they come in in the morning.
> 
>>
>> There is nothing abnormal about your setup.
>>
>> What are you using for a credential manager?
> 
> I'm using MIT KFW 3.2.2.

The problem is that I don't know what can be used by NetIDMgr as
a trigger to attempt re-importing the MSLSA: TGT and using it to
obtain derivative credentials.

There is no code for this at present.

Jeffrey Altman