[OpenAFS] Questions regarding AFS ticket lifetime
Fri, 20 Apr 2012 13:30:00 +0200
On 20.04.2012 12:53, Anders Magnusson wrote:
> On 04/20/2012 09:35 AM, Lars Schimmer wrote:
>>> From memory, during our Windows XP days (different OS, different
>>> OpenAFS, different Network Identity Manager, different MIT Kerberos
>>> for Windows), just locking and unlocking the computer refreshed the
>>> AFS ticket.
>>> How has this changed for Windows 7 and our current setup, as this
>>> no longer seems to be working?
>> Remember the 2 different credential caches of windows - one of system
>> at login and one for NetworkID Manager.
>> On Login you get a ticket/token with the Windows Builtin credential
>> cache which CANNOT be accessed by Network ID Manager.
>> Only after you obtained a token manual in NetworkID manager it renews
>> the token automatic and you can set the token lifetime with Network ID
> The problem is:
> 1) Automatic renewal of the tgt by NiM do not work on Windows 7. It di=
> on XP.
> 2) Letting NiM fetch a new tgt when the user unlocks the screen do not
> work. It did on XP.
Windows 7 is not Windows XP, MS changed a lot based on security and user
Read the OpenAFS release notes about obtaining tokens on login:
"Integrated Logon will not transfer Kerberos v5 tickets into the user's
logon session credential cache. This is no longer possible on Vista and
> It gives a bad user experience to tell them that they need to fetch
> stuff manually,
> since they did not need to do so on XP but now on Windows 7. Therefore
> we need to
> find out what is wrong since this was not a problem before (with XP).
It is a security precaution situation made by MS. Go and ask MS to
> -- Ragge
TU Graz, Institut f=FCr ComputerGraphik & WissensVisualisierung
Tel: +43 316 873-5405 E-Mail: email@example.com
Fax: +43 316 873-5402 PGP-Key-ID: 0x4A9B1723