[OpenAFS] Integrated logon and locking/unlocking workstatations
Anders Magnusson
ragge@ltu.se
Thu, 30 Oct 2008 18:46:31 +0100
Jeffrey Altman wrote:
> Douglas E. Engert wrote:
>
>
>> Jeff,
>> The netmgr can import tickets from MSLSA, but only appears to do this
>> at login or when the import credentials is selected. Could it do this
>> on a periodic bases to check if the MSLA TGT might have been updated
>> by a screen unlock? Or did I miss something?
>>
>> So if Ryan can use the Windows DC as the KDC, with renewable tickets
>> with a reasonable RenewUntil time, and the users unlock their machines
>> some time withing the RenewUntil time, they would never loose
>> their AFS token.
>>
>
> There are lots of things NIM could do. None of them are things that
> NIM does today. Therefore, NIM as currently shipped will not do what
> Ryan needs.
>
> The correct one is to receive notification that the LSA has new tickets
> and do something with them. The only notifications I see are for
> terminal server. I will need to research what other possibilities
> there are.
>
Not that I know how any of these things works in Windows, but wouldn't it be
possible to get the LSA to keep track of and renew the afs ticket, and
then just
have a really small program that just asks the LSA for the afs principal
and convert
it to an afs token? And then let the LSA handle everything around.
-- Ragge