[OpenAFS] Questions regarding AFS ticket lifetime

Jeffrey Altman jaltman@secure-endpoints.com
Fri, 20 Apr 2012 09:40:06 -0400


This is an OpenPGP/MIME signed message (RFC 2440 and 3156)
--------------enigB77D00E41A450FBCC5EF4F82
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

Anders:

If you configure the default credential cache to be MSLSA: then the LSA=20
credentials will be used.

The functionality (an explorer shell logon hook) that was used to copy=20
credentials at logon no longer exists on Vista and later versions of=20
the operating system.  Since the functionality does not exist, the=20
functions exported from kfwlogon.dll do not get executed and no=20
Kerberos tickets can be copied in to the API: credential cache.

I have plans to build a new in kernel credential cache mechanism using=20
the AFS Authentication Groups available in the 1.7.x series.  I have no=20
available resources at the moment to implement it and I can't make a=20
commitment as to when I will.

At the moment afslogon.dll will obtain a new AFS token at logon, but it=20
will not be renewable.

Jeffrey Altman


On Friday, April 20, 2012 9:25:13 AM, Anders Magnusson wrote:

> Yes, I have seen that, but that do not explain the behaviour since I
> have no wish to fetch thingd from MSLSA.
> Integrated logon works, but fetching new krbtgt at unlock of the login
> window does not.
> And BTW, importing tickets from MSLSA to API seems to work (pressing
> import button).
>
> -- Ragge
>



--------------enigB77D00E41A450FBCC5EF4F82
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)

iQEcBAEBAgAGBQJPkWc5AAoJENxm1CNJffh4usQH/jlSGDK1RWo0OWUeDY/RVWwo
vsSC/K3h3i9/93CrDKc7IM65QJX0FxsU55z9PCjvN7Xm4VzHWk7yQbVK2ZLmGUpc
o1bL6zvNj8Z8pw4uREdoDSfHcgpX+tmZAzzPfFG8vk9aLUtzz86Fr2Ql3D1lf/f1
woGXg4S0pxeZizIHQf5SIFtRWkNKl/pNgMF0ySnDG8zZrq00gjWqb8bAUvr+VHFO
PvmwRnr5VkDOZIu9rNdK8r5FfrEJpCKSQEqR4a74Hi3FgofhFO9qo/IhBdyXyL7J
sG4kus1L8gtPB0vG0mpCOKVl8JWvfNopd50MCOsEp2jKuBrX3/6cQw6KdJ2ciC4=
=skaX
-----END PGP SIGNATURE-----

--------------enigB77D00E41A450FBCC5EF4F82--