[OpenAFS] OpenAFS 1.7.3/Heimdal 1.5.1 64-bit Auto-login oddity

Christopher Odenbach odenbach@uni-paderborn.de
Fri, 16 Dec 2011 10:12:12 +0100


Hi,

>> This can only be true for 64 Bit Windows 7, because it is running on
>> our Windows 7 pool with 32 Bit machines. Logging into the machines
>> gets AFS token AND Kerberos ticket!
> 
> Are you sure the Kerberos ticket is not coming from the MSLSA ?

Yes. The pool machines are domain members. Our domain is
'AD.UNI-PADERBORN.DE', our kerberos realm is 'UNI-PADERBORN.DE'. Both
realms have all users with identical usernames and password. There is
also a cross realm trust, but that should be unrelated in this case.

I logon to the machine as AD\odenbach, so the Microsoft credential cache
is filled with odenbach@AD.UNI-PADERBORN.DE. But the Network Identity
Manager grabs the credentials and gets the ticket for
odenbach@UNI-PADERBORN.DE. So that is exactly the behaviour which I want
to see. But it only works on 32 bit machines.

Just to check I have now created a local account on a pool machine, same
username and same password. If a logon to the machine using this local
account, I do not get a MSLSA ticket (which is clear), but I do get an
MIT Kerberos Ticket and an AFS Token. Renewable and everything.

So what is the difference between 32 bit and 64 bit? Has Microsoft
dropped some feature here?

Christopher

-- 
======================================================
    Dipl.-Ing. Christopher Odenbach
    Zentrum fuer Informations- und Medientechnologien
    Universitaet Paderborn
    Raum N5.122
    odenbach@uni-paderborn.de
    Tel.: +49 5251 60 5315
======================================================