[OpenAFS] OpenAFS 1.7.3/Heimdal 1.5.1 64-bit Auto-login oddity
Fri, 16 Dec 2011 10:12:12 +0100
>> This can only be true for 64 Bit Windows 7, because it is running on
>> our Windows 7 pool with 32 Bit machines. Logging into the machines
>> gets AFS token AND Kerberos ticket!
> Are you sure the Kerberos ticket is not coming from the MSLSA ?
Yes. The pool machines are domain members. Our domain is
'AD.UNI-PADERBORN.DE', our kerberos realm is 'UNI-PADERBORN.DE'. Both
realms have all users with identical usernames and password. There is
also a cross realm trust, but that should be unrelated in this case.
I logon to the machine as AD\odenbach, so the Microsoft credential cache
is filled with odenbach@AD.UNI-PADERBORN.DE. But the Network Identity
Manager grabs the credentials and gets the ticket for
odenbach@UNI-PADERBORN.DE. So that is exactly the behaviour which I want
to see. But it only works on 32 bit machines.
Just to check I have now created a local account on a pool machine, same
username and same password. If a logon to the machine using this local
account, I do not get a MSLSA ticket (which is clear), but I do get an
MIT Kerberos Ticket and an AFS Token. Renewable and everything.
So what is the difference between 32 bit and 64 bit? Has Microsoft
dropped some feature here?
Dipl.-Ing. Christopher Odenbach
Zentrum fuer Informations- und Medientechnologien
Tel.: +49 5251 60 5315