[OpenAFS] UAC in Windows 7 prevents importing Kerberos TGT to
NIM
Jeffrey Altman
jaltman@secure-endpoints.com
Tue, 05 Apr 2011 17:07:28 -0400
This is an OpenPGP/MIME signed message (RFC 2440 and 3156)
--------------enigB741838FA4A70B0A3B1085B6
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
You have two choices. Disable UAC or stop using an account that is a
member of the Administrators Group for day to day operations. I would
choose the latter.
Jeffrey Altman
On 4/5/2011 4:51 PM, Jonathan Nilsson wrote:
> Hello,
>=20
> I'm running Windows 7 Professional 64-bit, joined to an Active Director=
y domain
> which is my Kerberos REALM for my OpenAFS cell. Everything works fine, =
but I
> have recently noticed that when I login with a domain account, Network =
Identity
> Manager does not seem to be automatically getting an AFS token. It just=
pops-up
> a password prompt for my Kerberos "identity" as it calls it.
>=20
> I did some searching and found this page in the NIM docs which seems to=
describe
> my situation:
>=20
> http://www.secure-endpoints.com/netidmgr/v2/docs/netidmgr/html/config_k=
5.htm
>=20
> which about half way down the page has this paragraph:
>=20
> "On Windows Vista, Windows 7, and Windows Server 2008 the operating sys=
tem does
> not permit the importation of the Kerberos Ticket Granting Ticket if th=
e active
> user account is a member of the Administrators or Domain Administrators=
groups
> and User Account Control (UAC) mode is active."
>=20
> My domain account is a member of the local computer's Administrators gr=
oup. Is
> there any workaround besides completely disabling UAC?
>=20
> In the mean time I removed my account from the local "Administrators" g=
roup, and
> NIM works again.
>=20
--------------enigB741838FA4A70B0A3B1085B6
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)
iQEcBAEBAgAGBQJNm4SUAAoJENxm1CNJffh4xjwIAJHwrdctDTALx++5sb2z/Bt4
8BxRtNmrUMjJQEthnFvQr7me7XNPcQwcptzKEatl8LutqHtjjLR5xhddhEh5yPTV
mYL587ji+cc4sELFEsvsoXip4wtrUhcYkt1VtDgJVAoTb0BnxhLmuSsdLNE7L0JF
6U8TDDgXvMUa3hNf+AhGWY/1T0n/jOtPSvgvQ0LU1CIQo0MV8PbUEh3Dveo6B89T
ExJ/AVXlIOBKwP1KNPVwtUmsfmqMBg7+g85RbVhlUj9bRCikNDy2JOVo+vv37EZe
fnALss3ZvzGkKs416gjEmrYHT5wmBCJwJvWAh06NExKfsQeGjHL1Vo6lHOy/muA=
=u5ro
-----END PGP SIGNATURE-----
--------------enigB741838FA4A70B0A3B1085B6--