[OpenAFS] OpenAFS 1.7.3/Heimdal 1.5.1 64-bit Auto-login oddity
Fri, 16 Dec 2011 09:56:02 -0500
And that same bug got included in the Heimdal credential cache? Or is
it literally the same CC from KfW?
NC State University
On Fri, Dec 16, 2011 at 5:07 AM, Jens Wegener
> On Fri, 16 Dec 2011, Christopher Odenbach wrote:
>>>> This can only be true for 64 Bit Windows 7, because it is running on
>>>> our Windows 7 pool with 32 Bit machines. Logging into the machines
>>>> gets AFS token AND Kerberos ticket!
>>> Are you sure the Kerberos ticket is not coming from the MSLSA ?
>> Yes. The pool machines are domain members. Our domain is
>> 'AD.UNI-PADERBORN.DE', our kerberos realm is 'UNI-PADERBORN.DE'. Both
>> realms have all users with identical usernames and password. There is
>> also a cross realm trust, but that should be unrelated in this case.
>> I logon to the machine as AD\odenbach, so the Microsoft credential cache
>> is filled with odenbach@AD.UNI-PADERBORN.DE. But the Network Identity
>> Manager grabs the credentials and gets the ticket for
>> odenbach@UNI-PADERBORN.DE. So that is exactly the behaviour which I want
>> to see. But it only works on 32 bit machines.
>> Just to check I have now created a local account on a pool machine, same
>> username and same password. If a logon to the machine using this local
>> account, I do not get a MSLSA ticket (which is clear), but I do get an
>> MIT Kerberos Ticket and an AFS Token. Renewable and everything.
>> So what is the difference between 32 bit and 64 bit? Has Microsoft
>> dropped some feature here?
> As I have stated in this thread before there is a bug in the
> 64bit KfW. You have to patch it (or rename DLLs - not recommended).
> It will never work without such modifications (*). Trust me. :-)
> We use a similar configuration (without the cross realm trust).
> Alternativly there may be a correct 64bit-KFW version available
> for Secure Endpoints support customers. You may consider to
> contact Secure Endpoints for further assistance.
> (*) If I remember correct the relevant hook function at
> =A0 =A0logon loads the wrong DLL and fails (64bit only).
> Jens Wegener
> Chemnitz University of Technology
> Jens Wegener =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0| E-Mail: jens.wegener@hr=
> Universitaetsrechenzentrum =A0 =A0| Phone: =A0+49 (0)371 531 31137
> TU Chemnitz, D-09107 Chemnitz | Fax: =A0 =A0+49 (0)371 531 8 31137
> OpenAFS-info mailing list