[OpenAFS] OpenAFS 1.7.3/Heimdal 1.5.1 64-bit Auto-login oddity

Jens Wegener jens.wegener@hrz.tu-chemnitz.de
Fri, 16 Dec 2011 11:07:20 +0100 (CET)

On Fri, 16 Dec 2011, Christopher Odenbach wrote:
>>> This can only be true for 64 Bit Windows 7, because it is running on
>>> our Windows 7 pool with 32 Bit machines. Logging into the machines
>>> gets AFS token AND Kerberos ticket!
>> Are you sure the Kerberos ticket is not coming from the MSLSA ?
> Yes. The pool machines are domain members. Our domain is
> 'AD.UNI-PADERBORN.DE', our kerberos realm is 'UNI-PADERBORN.DE'. Both
> realms have all users with identical usernames and password. There is
> also a cross realm trust, but that should be unrelated in this case.
> I logon to the machine as AD\odenbach, so the Microsoft credential cache
> is filled with odenbach@AD.UNI-PADERBORN.DE. But the Network Identity
> Manager grabs the credentials and gets the ticket for
> odenbach@UNI-PADERBORN.DE. So that is exactly the behaviour which I want
> to see. But it only works on 32 bit machines.
> Just to check I have now created a local account on a pool machine, same
> username and same password. If a logon to the machine using this local
> account, I do not get a MSLSA ticket (which is clear), but I do get an
> MIT Kerberos Ticket and an AFS Token. Renewable and everything.
> So what is the difference between 32 bit and 64 bit? Has Microsoft
> dropped some feature here?

As I have stated in this thread before there is a bug in the
64bit KfW. You have to patch it (or rename DLLs - not recommended).
It will never work without such modifications (*). Trust me. :-)
We use a similar configuration (without the cross realm trust).

Alternativly there may be a correct 64bit-KFW version available
for Secure Endpoints support customers. You may consider to
contact Secure Endpoints for further assistance.

(*) If I remember correct the relevant hook function at
     logon loads the wrong DLL and fails (64bit only).

Jens Wegener
Chemnitz University of Technology

Jens Wegener                  | E-Mail: jens.wegener@hrz.tu-chemnitz.de
Universitaetsrechenzentrum    | Phone:  +49 (0)371 531 31137
TU Chemnitz, D-09107 Chemnitz | Fax:    +49 (0)371 531 8 31137