[OpenAFS] Testing OpenAFS with Windows XP Roaming Profiles....

Gémes Géza geza@kzsdabas.hu
Sat, 18 Sep 2010 08:16:36 +0200


2010-09-17 18:21 keltezéssel, Jeffrey Altman írta:
> On 9/17/2010 11:06 AM, Claudio Prono wrote:
>   
>>     
>>>> Now, the question is: how i can make Windows first write the updated
>>>> profile, then drop tickets?
>>>>
>>>> The ACL system:anyuser all for the profile folder is not a good solution...
>>>>
>>>> Any hint?
>>>>     
>>>>         
>>> The afslogon.dll has special code in it that has to detect that the
>>> profile is redirected into AFS.   This is based on the assumption that a
>>> domain is in use.   The additional case for a non-domain profile in AFS
>>> would have to be added.
>>>
>>> Jeffrey Altman
>>>
>>>   
>>>       
>> Just an idea... why don't put an option inside the AFS control panel to
>> override the domain detection ? Not all the users using a roaming
>> profile use a Domain.... Something like "roaming profile active" in the
>> AFS control panel....
>>
>> Anyway, now how i can override that detection of the afslogon.dll ? Any
>> trick to cheat the afslogon.dll auto detection?
>>
>> Cordially,
>>
>> Claudio Prono.
>>     
> Claudio:
>
> It would be more work to implement a cheat than to do the correct thing
> for your configuration.   Someone can write a patch for afslogon and
> submit it to gerrit.openafs.org.
>
> What needs to be implemented is the Local Profile in AFS case both for
> NPLogonNotify() and AFS_Logoff_Event().   If the profile is not remote,
> then a search for a profile in AFS should not be queried via AD (LDAP)
> but instead through the GetUserProfileDirectory() API.
>
> If you read the OpenAFS for Windows Release Notes, you can use the
> LogoffPreserveTokens registry value to force the AFS tokens to be held
> after logoff.  However, doing so retains the tokens until they expire.
>
> Jeffrey Altman
>
>   
Sorry if that sounds stupid, but are currently the NPLogonNotify() and
AFS_Logoff_Event() calls querry AD via LDAP? If so I suppose they aren't
discovering a pre-AD (NT4, Samba3) redirected domain profile either?
I've just planned to move the user profiles of our Samba3 domain to AFS :-(.

Thanks

Geza