[OpenAFS] Questions regarding AFS ticket lifetime (fwd)

Stephen Joyce stephen@physics.unc.edu
Fri, 20 Apr 2012 08:33:09 -0400 (EDT)


On Fri, 20 Apr 2012, Lars Schimmer wrote:

>> The problem is:
>> 1) Automatic renewal of the tgt by NiM do not work on Windows 7.  It did
>> on XP.
>> 2) Letting NiM fetch a new tgt when the user unlocks the screen do not
>> work.  It did on XP.
> 
> Windows 7 is not Windows XP, MS changed a lot based on security and user
> management.
> Read the OpenAFS release notes about obtaining tokens on login:
> http://www.openafs.org/dl/openafs/1.7.10/winxp/ReleaseNotes/html/ch03s06.html
> 
> "Integrated Logon will not transfer Kerberos v5 tickets into the user's
> logon session credential cache. This is no longer possible on Vista and
> Windows 7."

I thought the gotcha above was only true if UAC was turned on AND the user in 
question was an admin.

  "On Windows Vista, Windows 7, and Windows Server 2008 the operating system 
does not permit the importation of the Kerberos Ticket Granting Ticket if the 
active user account is a member of the Administrators or Domain Administrators 
groups and User Account Control (UAC) mode is active." 
<https://www.secure-endpoints.com/netidmgr/v2/docs/netidmgr/html/config_k5.htm>

Have you tried ticket importing as a non-admin user and/or with UAC off? It 
must still be configured in the NIM options, of course.

Cheers, Stephen