[OpenAFS] Integrated logon and locking/unlocking workstatations
Thu, 30 Oct 2008 18:46:31 +0100
Jeffrey Altman wrote:
> Douglas E. Engert wrote:
>> The netmgr can import tickets from MSLSA, but only appears to do this
>> at login or when the import credentials is selected. Could it do this
>> on a periodic bases to check if the MSLA TGT might have been updated
>> by a screen unlock? Or did I miss something?
>> So if Ryan can use the Windows DC as the KDC, with renewable tickets
>> with a reasonable RenewUntil time, and the users unlock their machines
>> some time withing the RenewUntil time, they would never loose
>> their AFS token.
> There are lots of things NIM could do. None of them are things that
> NIM does today. Therefore, NIM as currently shipped will not do what
> Ryan needs.
> The correct one is to receive notification that the LSA has new tickets
> and do something with them. The only notifications I see are for
> terminal server. I will need to research what other possibilities
> there are.
Not that I know how any of these things works in Windows, but wouldn't it be
possible to get the LSA to keep track of and renew the afs ticket, and
have a really small program that just asks the LSA for the afs principal
it to an afs token? And then let the LSA handle everything around.