[OpenAFS] Integrated logon and locking/unlocking workstatations

Ryan L. Means rmeans@law.berkeley.edu
Thu, 30 Oct 2008 10:31:17 -0700 

Douglas E. Engert wrote:
> Ryan L. Means wrote:
>> Good afternoon,
>>
>> We are just starting to use AFS here at the School of Law at UC 
>> Berkeley. Everything seems to be working well with OpenAFS for Windows 
>> and the integrated logon functionality that grabs a Kerberos 5 ticket 
>> and then the AFS token. Unfortunately, it seems that when a user locks 
>> their workstation, leaves for longer than the 10 hour ticket 
>> expiration period, and then comes back, the ticket and token have 
>> expired and the act of unlocking the workstation doesn't get another set.
>>
>> We do have an abnormal setup here where there are two realms, one MIT, 
>> one AD.
> 
> Different realm names?

Yes, the BERKELEY.EDU realm exists on the MIT KDC, but there is another 
realm name for the Windows AD KDC. To make a long story short, the 
administrators of our previously existing MIT KDC infrastructure did not 
trust that Windows AD would provide an acceptable KDC. For a while we 
even had a cross-realm trust and users would log into their workstations 
with the MIT realm identity instead of the AD one (that is no longer the 
case). There are plans to merge the two KDCs now, but it could be over a 
year before that happens, if it happens at all.

> Is the AFS access then using K4 or K5 to get AFS tokens?

K5 from the MIT KDC.

> Is there any reason that you could not use the AD K5 realm to get the
> afs K5 ticket? At least for Windows users?

Other than the problem of it being very confusing for our users that 
move from Windows to Mac to Unix, no. The problem is that the protection 
server currently only allows one identity for each AFS user (right?). So 
if we could have both identities in there there wouldn't be any problems 
at all.

> As Jeff pointed out in a prevuios note there is no notification for th
> screen unlock where the netmgr could get the username and password to use
> with the second realm.
> 
> With K5, tickets may be renewable and the netmgr will renew K5 tickets
> and get a new AFS token so the 10 hour limit is not a real issue
> till the RenewUntil time was reached.  If your MIT real is using K5
> does it allow renewable tickets, and for how long?

Yes, it does allow renewable tickets for up to 7 days. But, it doesn't 
seem like netmgr is renewing them when the workstation is locked. That 
would help the problem because then users who never log out would only 
be prompted every 7 days...

> If you could use the Windows KDC with AFS, the netmgr could use
> the MSLSA to get the updated TGT created by screen unlock with a new
> RenewUntil time.

Right, but this isn't going to be workable for us until the realms are 
merged.

> Jeff,
> The netmgr can import tickets from MSLSA, but only appears to do this
> at login or when the import credentials is selected.  Could it do this
> on a periodic bases to check if the MSLA TGT might have been updated
> by a screen unlock?  Or did I miss something?
> 
> So if Ryan can use the Windows DC as the KDC, with renewable tickets
> with a reasonable RenewUntil time, and the users unlock their machines
> some time withing the RenewUntil time, they would never loose
> their AFS token.
> 

Thanks, Doug!