[OpenAFS] Questions regarding AFS ticket lifetime (fwd)

Jeffrey Altman jaltman@secure-endpoints.com
Fri, 20 Apr 2012 09:41:27 -0400


This is an OpenPGP/MIME signed message (RFC 2440 and 3156)
--------------enig20128A2A64D5DAB0ADB064FB
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable



On Friday, April 20, 2012 8:33:09 AM, Stephen Joyce wrote:
> On Fri, 20 Apr 2012, Lars Schimmer wrote:
>
>>> The problem is:
>>> 1) Automatic renewal of the tgt by NiM do not work on Windows 7.  It
>>> did
>>> on XP.
>>> 2) Letting NiM fetch a new tgt when the user unlocks the screen do no=
t
>>> work.  It did on XP.
>>
>> Windows 7 is not Windows XP, MS changed a lot based on security and us=
er
>> management.
>> Read the OpenAFS release notes about obtaining tokens on login:
>> http://www.openafs.org/dl/openafs/1.7.10/winxp/ReleaseNotes/html/ch03s=
06.html
>>
>>
>> "Integrated Logon will not transfer Kerberos v5 tickets into the user'=
s
>> logon session credential cache. This is no longer possible on Vista an=
d
>> Windows 7."
>
> I thought the gotcha above was only true if UAC was turned on AND the
> user in question was an admin.
>
>  "On Windows Vista, Windows 7, and Windows Server 2008 the operating
> system does not permit the importation of the Kerberos Ticket Granting
> Ticket if the active user account is a member of the Administrators or
> Domain Administrators groups and User Account Control (UAC) mode is
> active."
> <https://www.secure-endpoints.com/netidmgr/v2/docs/netidmgr/html/config=
_k5.htm>
>
>
> Have you tried ticket importing as a non-admin user and/or with UAC
> off? It must still be configured in the NIM options, of course.
>
> Cheers, Stephen

This is not a UAC issue.  This is related to the lack of a logon and=20
logoff event handler in Vista and beyond.

Jeffrey Altman



--------------enig20128A2A64D5DAB0ADB064FB
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)

iQEcBAEBAgAGBQJPkWeHAAoJENxm1CNJffh4SdYIAMeS/0UIdRGWuwIDWE/D7s+/
kAEAxLywQneP7GsAgvzQgpMKrOjB7Hq0RA/s/r4WseqkC7TJAJnynOiD8+bC9uoh
fg7vZu+zvgUc/7H15A6fQe1aSxdZ657/lMvRfubek6rSg537wtf0qY67Zi7R5YrM
hX33Se6DVe4/nuRy+tAYanhrBmqLrseZdzp1UqsRoxpZQj1hYoVNOG521DM4J+Qw
glmVIOS3oo2w6uLKyRTlKA9SRd+/XdgS1/B6bwHQTPS85FmktzsNv92QQQQZrqya
/UktrM7RcpKKlB/H0Gb2wVRQOL1JVSbiz+jgfGkA54W7MhUGw/C5EobCbHcM9Dw=
=2fxA
-----END PGP SIGNATURE-----

--------------enig20128A2A64D5DAB0ADB064FB--