[OpenAFS] OpenAFS 1.7.3/Heimdal 1.5.1 64-bit Auto-login oddity

Billy Beaudoin wrbeaudo@ncsu.edu
Fri, 16 Dec 2011 09:56:02 -0500 

And that same bug got included in the Heimdal credential cache? Or is
it literally the same CC from KfW?

Billy Beaudoin
ITECS Systems
NC State University



On Fri, Dec 16, 2011 at 5:07 AM, Jens Wegener
<jens.wegener@hrz.tu-chemnitz.de> wrote:
> On Fri, 16 Dec 2011, Christopher Odenbach wrote:
>>>>
>>>> This can only be true for 64 Bit Windows 7, because it is running on
>>>> our Windows 7 pool with 32 Bit machines. Logging into the machines
>>>> gets AFS token AND Kerberos ticket!
>>>
>>>
>>> Are you sure the Kerberos ticket is not coming from the MSLSA ?
>>
>>
>> Yes. The pool machines are domain members. Our domain is
>> 'AD.UNI-PADERBORN.DE', our kerberos realm is 'UNI-PADERBORN.DE'. Both
>> realms have all users with identical usernames and password. There is
>> also a cross realm trust, but that should be unrelated in this case.
>>
>> I logon to the machine as AD\odenbach, so the Microsoft credential cache
>> is filled with odenbach@AD.UNI-PADERBORN.DE. But the Network Identity
>> Manager grabs the credentials and gets the ticket for
>> odenbach@UNI-PADERBORN.DE. So that is exactly the behaviour which I want
>> to see. But it only works on 32 bit machines.
>>
>> Just to check I have now created a local account on a pool machine, same
>> username and same password. If a logon to the machine using this local
>> account, I do not get a MSLSA ticket (which is clear), but I do get an
>> MIT Kerberos Ticket and an AFS Token. Renewable and everything.
>>
>> So what is the difference between 32 bit and 64 bit? Has Microsoft
>> dropped some feature here?
>
>
> As I have stated in this thread before there is a bug in the
> 64bit KfW. You have to patch it (or rename DLLs - not recommended).
> It will never work without such modifications (*). Trust me. :-)
> We use a similar configuration (without the cross realm trust).
>
> Alternativly there may be a correct 64bit-KFW version available
> for Secure Endpoints support customers. You may consider to
> contact Secure Endpoints for further assistance.
>
> (*) If I remember correct the relevant hook function at
> =A0 =A0logon loads the wrong DLL and fails (64bit only).
>
>
> Jens Wegener
> Chemnitz University of Technology
>
> --
> Jens Wegener =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0| E-Mail: jens.wegener@hr=
z.tu-chemnitz.de
> Universitaetsrechenzentrum =A0 =A0| Phone: =A0+49 (0)371 531 31137
> TU Chemnitz, D-09107 Chemnitz | Fax: =A0 =A0+49 (0)371 531 8 31137
> _______________________________________________
> OpenAFS-info mailing list
> OpenAFS-info@openafs.org
> https://lists.openafs.org/mailman/listinfo/openafs-info