[OpenAFS] Integrated logon and locking/unlocking workstatations

Douglas E. Engert deengert@anl.gov
Thu, 30 Oct 2008 10:10:31 -0500

Ryan L. Means wrote:
> Good afternoon,
> We are just starting to use AFS here at the School of Law at UC 
> Berkeley. Everything seems to be working well with OpenAFS for Windows 
> and the integrated logon functionality that grabs a Kerberos 5 ticket 
> and then the AFS token. Unfortunately, it seems that when a user locks 
> their workstation, leaves for longer than the 10 hour ticket expiration 
> period, and then comes back, the ticket and token have expired and the 
> act of unlocking the workstation doesn't get another set.
> We do have an abnormal setup here where there are two realms, one MIT, 
> one AD.

Different realm names?

 > The passwords are synchronized between the realms, but the user
> does log into their workstation using the AD identity and access AFS 
> resources with the MIT identity.

Is the AFS access then using K4 or K5 to get AFS tokens?

> So far, with the integrated login, this 
> hasn't been a problem. Is this locking/unlocking issue caused by the 
> split realms, or is there another force at work?
> Thanks to anyone who can help!

Is there any reason that you could not use the AD K5 realm to get the
afs K5 ticket? At least for Windows users?

As Jeff pointed out in a prevuios note there is no notification for th
screen unlock where the netmgr could get the username and password to use
with the second realm.

With K5, tickets may be renewable and the netmgr will renew K5 tickets
and get a new AFS token so the 10 hour limit is not a real issue
till the RenewUntil time was reached.  If your MIT real is using K5
does it allow renewable tickets, and for how long?

If you could use the Windows KDC with AFS, the netmgr could use
the MSLSA to get the updated TGT created by screen unlock with a new
RenewUntil time.

The netmgr can import tickets from MSLSA, but only appears to do this
at login or when the import credentials is selected.  Could it do this
on a periodic bases to check if the MSLA TGT might have been updated
by a screen unlock?  Or did I miss something?

So if Ryan can use the Windows DC as the KDC, with renewable tickets
with a reasonable RenewUntil time, and the users unlock their machines
some time withing the RenewUntil time, they would never loose
their AFS token.

> Ryan
> _______________________________________________
> OpenAFS-info mailing list
> OpenAFS-info@openafs.org
> https://lists.openafs.org/mailman/listinfo/openafs-info


  Douglas E. Engert  <DEEngert@anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444