[OpenAFS] k5start functionality on windows

John D'Ausilio john.dausilio@1010data.com
Thu, 24 Aug 2017 16:49:58 +0000


--_000_CY4PR1101MB21345394B35A8ACAE7F19AF4889A0CY4PR1101MB2134_
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

The system I'm doing a POC with uses local accounts in production on both l=
inux and windows boxes, which are headless.
On linux, k5start with a keytab for the afs user works fine for keeping a f=
resh token available for the local account.
On windows, I'm having problems getting similar functionality.
First attempt was a scheduled task as the local user to kinit with the keyt=
ab and then aklog .. it runs without errors but other shells (new or existi=
ng) for the same user don't see any tickets (klist) or tokens. Separate cac=
hes?
Second attempt was with Network Identity Manager, which would be perfect if=
 I can figure out how to make it use my keytab instead of typing a password=
.
Anyone have another solution?

JohnD
The content of this e-mail message and any attached files transmitted with =
it are to be treated as confidential information and are intended solely fo=
r the use of the individual or entity to whom they are addressed. If the re=
ader of this e-mail is not the intended recipient or his or her authorized =
agent, the reader is hereby notified that any reproduction, distribution, o=
r disclosure of this e-mail is prohibited. If you have received this e-mail=
 in error, please notify the sender by replying to this message and delete =
this e-mail immediately.***1010data, Inc. and its affiliates ("1010data") a=
re not responsible for any advice concerning the use of its software or ser=
vices or the data manipulated by its software, except to the extent 1010dat=
a has specifically undertaken such responsibility in a validly binding cont=
ract. 1010data shall have no responsibility for any decision concerning the=
 appropriate method of use or application of its software or services or th=
e data therein in connection with any transaction. Any decision concerning =
how, where and when to use this facility remains the sole responsibility of=
 the user.

--_000_CY4PR1101MB21345394B35A8ACAE7F19AF4889A0CY4PR1101MB2134_
Content-Type: text/html; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

<html>
<head>
<meta http-equiv=3D"Content-Type" content=3D"text/html; charset=3Diso-8859-=
1">
<style type=3D"text/css" style=3D"display:none;"><!-- P {margin-top:0;margi=
n-bottom:0;} --></style>
</head>
<body dir=3D"ltr">
<div id=3D"divtagdefaultwrapper" dir=3D"ltr" style=3D"font-size: 12pt; colo=
r: rgb(0, 0, 0); font-family: Calibri, Helvetica, sans-serif, EmojiFont, &q=
uot;Apple Color Emoji&quot;, &quot;Segoe UI Emoji&quot;, NotoColorEmoji, &q=
uot;Segoe UI Symbol&quot;, &quot;Android Emoji&quot;, EmojiSymbols, EmojiFo=
nt, &quot;Apple Color Emoji&quot;, &quot;Segoe UI Emoji&quot;, NotoColorEmo=
ji, &quot;Segoe UI Symbol&quot;, &quot;Android Emoji&quot;, EmojiSymbols;">
The system I'm doing a POC&nbsp;with uses local accounts in production on b=
oth linux and windows boxes, which are headless.
<div>On linux, k5start with a keytab for the afs user works fine for keepin=
g a fresh token available for the local account.</div>
<div>On windows, I'm having problems getting similar functionality.</div>
<div>First attempt was a scheduled task as the local user&nbsp;to kinit wit=
h the keytab and then aklog .. it runs without errors but&nbsp;other shells=
 (new or existing)&nbsp;for the same user&nbsp;don't see any tickets (klist=
) or tokens. Separate caches?</div>
<div>Second attempt was with Network Identity Manager, which would be perfe=
ct if I can figure out how to make it use my keytab instead of typing a pas=
sword.</div>
<div>Anyone have another solution?</div>
<div><br>
</div>
<div>JohnD</div>
</div>
The content of this e-mail message and any attached files transmitted with =
it are to be treated as confidential information and are intended solely fo=
r the use of the individual or entity to whom they are addressed. If the re=
ader of this e-mail is not the intended
 recipient or his or her authorized agent, the reader is hereby notified th=
at any reproduction, distribution, or disclosure of this e-mail is prohibit=
ed. If you have received this e-mail in error, please notify the sender by =
replying to this message and delete
 this e-mail immediately.***1010data, Inc. and its affiliates (&quot;1010da=
ta&quot;) are not responsible for any advice concerning the use of its soft=
ware or services or the data manipulated by its software, except to the ext=
ent 1010data has specifically undertaken such
 responsibility in a validly binding contract. 1010data shall have no respo=
nsibility for any decision concerning the appropriate method of use or appl=
ication of its software or services or the data therein in connection with =
any transaction. Any decision concerning
 how, where and when to use this facility remains the sole responsibility o=
f the user.
</body>
</html>

--_000_CY4PR1101MB21345394B35A8ACAE7F19AF4889A0CY4PR1101MB2134_--