[OpenAFS] Testing OpenAFS with Windows XP Roaming Profiles....

Gémes Géza geza@kzsdabas.hu
Sat, 18 Sep 2010 15:36:55 +0200


2010-09-18 08:16 keltezéssel, Gémes Géza írta:
> 2010-09-17 18:21 keltezéssel, Jeffrey Altman írta:
>   
>> On 9/17/2010 11:06 AM, Claudio Prono wrote:
>>   
>>     
>>>     
>>>       
>>>>> Now, the question is: how i can make Windows first write the updated
>>>>> profile, then drop tickets?
>>>>>
>>>>> The ACL system:anyuser all for the profile folder is not a good solution...
>>>>>
>>>>> Any hint?
>>>>>     
>>>>>         
>>>>>           
>>>> The afslogon.dll has special code in it that has to detect that the
>>>> profile is redirected into AFS.   This is based on the assumption that a
>>>> domain is in use.   The additional case for a non-domain profile in AFS
>>>> would have to be added.
>>>>
>>>> Jeffrey Altman
>>>>
>>>>   
>>>>       
>>>>         
>>> Just an idea... why don't put an option inside the AFS control panel to
>>> override the domain detection ? Not all the users using a roaming
>>> profile use a Domain.... Something like "roaming profile active" in the
>>> AFS control panel....
>>>
>>> Anyway, now how i can override that detection of the afslogon.dll ? Any
>>> trick to cheat the afslogon.dll auto detection?
>>>
>>> Cordially,
>>>
>>> Claudio Prono.
>>>     
>>>       
>> Claudio:
>>
>> It would be more work to implement a cheat than to do the correct thing
>> for your configuration.   Someone can write a patch for afslogon and
>> submit it to gerrit.openafs.org.
>>
>> What needs to be implemented is the Local Profile in AFS case both for
>> NPLogonNotify() and AFS_Logoff_Event().   If the profile is not remote,
>> then a search for a profile in AFS should not be queried via AD (LDAP)
>> but instead through the GetUserProfileDirectory() API.
>>
>> If you read the OpenAFS for Windows Release Notes, you can use the
>> LogoffPreserveTokens registry value to force the AFS tokens to be held
>> after logoff.  However, doing so retains the tokens until they expire.
>>
>> Jeffrey Altman
>>
>>   
>>     
> Sorry if that sounds stupid, but are currently the NPLogonNotify() and
> AFS_Logoff_Event() calls querry AD via LDAP? If so I suppose they aren't
> discovering a pre-AD (NT4, Samba3) redirected domain profile either?
> I've just planned to move the user profiles of our Samba3 domain to AFS :-(.
>
> Thanks
>
> Geza
>
>
> _______________________________________________
> OpenAFS-info mailing list
> OpenAFS-info@openafs.org
> https://lists.openafs.org/mailman/listinfo/openafs-info
>   
Ok I've did an experiment: created a user lets call him testuser
redirected his profile (via the ldap backend of samba) to
\\afs\....\profiles\testuser
for that dir gived him rlidwk acl and, l to system:anyuser to the whole
path to that dir, and the profile seems to load and unload perfectly,
the profile path being updated as it should.

Cheers

Geza