[OpenAFS] is this what windows folks call "integrated login"?

Steve Simmons scs@umich.edu
Mon, 23 Aug 2010 12:35:56 -0400


On Aug 23, 2010, at 11:43 AM, Dale Pontius wrote:

>> 
>> Is there a piece of software that does this?  It's been a long, long
>> time since I used Windows, but it sounds like this feature is what the
>> Windows client calls "integrated login".  Or maybe not.  Either way, is
>> there a way to get MacOS to do this?

> Be very careful of an integrated login on a laptop.  I set up to have
> (sometimes) integrated login on Linux, and it can be problematic if you
> try to login while away from the network where your AFS server resides -
> as in a really looooong timeout.  I don't know if this is standard
> behavior for Windows or MacOS integrated logins, and for that matter I
> don't know if this is even the current behavior for an integrated login
> under Linux, any more.  I just know that when I first set things up
> under Linux, if the server wasn't available, only root could login.

What he said. I run openafs on my mac laptop and configure it so that
it does not start AFS at boot, nor automatically obtain kerberos
tickets. My login password is local, not kerberos or AD. This give me
the most flexibility when going on the road, as there are many places
still where you can't get easy network access. If your password requires
AD or kerberos and you're away from a net, you're screwed.

For afs, I configure it via the oASF preference panel such that it
does not start at book. When I want to run AFS, I turn it on via the 
same preferences panel. The only time it's really an issue is when
you're cold-booting the laptop. Once it's up and has successfully
started AFS, you can be detatched with only minor irritations when you
forget a file is in AFS and have to wait for the timeout.

When kerberos keys are needed but no AFS access, I run 'kinit.' When
afs is running, I do 'kinit && aklog.'

Conversely - I can count on one hand the number of times I've had to
cold-boot my laptop while away from a network connection. If you can live
with the long boot time while AFS times out in such circumstances, you
only need to worry about local passwd vs krb/AD stuff. But no matter
what, stick to a local password.

Steve