[OpenAFS] Questions regarding AFS ticket lifetime

Anders Magnusson ragge@ltu.se
Fri, 20 Apr 2012 16:25:55 +0200


Thanks Jeffrey, now lot of things became clearer :-)

But to solve this incident; since automatic renew in NiM do not work
but kinit -R && aklog does work for the API cache, we are planning to
add this to the Task Scheduler.  Do you see any problem with doing it
like this?

-- Ragge


On 04/20/2012 03:40 PM, Jeffrey Altman wrote:
> Anders:
>
> If you configure the default credential cache to be MSLSA: then the LSA
> credentials will be used.
>
> The functionality (an explorer shell logon hook) that was used to copy
> credentials at logon no longer exists on Vista and later versions of
> the operating system.  Since the functionality does not exist, the
> functions exported from kfwlogon.dll do not get executed and no
> Kerberos tickets can be copied in to the API: credential cache.
>
> I have plans to build a new in kernel credential cache mechanism using
> the AFS Authentication Groups available in the 1.7.x series.  I have no
> available resources at the moment to implement it and I can't make a
> commitment as to when I will.
>
> At the moment afslogon.dll will obtain a new AFS token at logon, but it
> will not be renewable.
>
> Jeffrey Altman
>
>
> On Friday, April 20, 2012 9:25:13 AM, Anders Magnusson wrote:
>
>> Yes, I have seen that, but that do not explain the behaviour since I
>> have no wish to fetch thingd from MSLSA.
>> Integrated logon works, but fetching new krbtgt at unlock of the login
>> window does not.
>> And BTW, importing tickets from MSLSA to API seems to work (pressing
>> import button).
>>
>> -- Ragge
>>
>