Jan Johansson wrote: > Jeffrey Altman <[EMAIL PROTECTED]> wrote: > > Oki, then I think I know what my problem is. Can you please just > check that I got the facts right. > > As the users login using an external KDC trust the initial > tickets are stored in the MSLSA.
correct > afscreds.exe will find and use the TGT from the MSLSA and use > this to get tokens for the cells specified in the TheseCells > registry setting. if you turn on "integrated logon", you can obtain tokens before the logon session is created thereby allowing you to store roaming profiles in AFS. tokens for "ThisCell" and "TheseCells" are automatically obtained by Integrated logon not by afscreds.exe. > afscreds.exe will renew tokens as needed finding updated TGTs > (after user unlocks screen) in MSLSA. afscreds.exe can renew tokens if it can recognize the relationship between principal name and service ticket. This is done by searching the cache for "[EMAIL PROTECTED]" or "afs/[EMAIL PROTECTED]" service tickets. > I do not need to have leash running. you do not. > (The local AFS cell is missing some part of 2b.) OAFW does not use '2b'. It uses Krb5 tickets as tokens. If you are using Active Directory as your KDC your krb5 tickets can be quite large and the tickets will be encoded with DES-CBC-MD5. All OpenAFS servers from 1.2.8 support krb5 tickets up to 344 bytes and encoded with DES-CBC-CBC. All OpenAFS servers after 1.3.64 support tickets up to 14000 bytes and DES-CBC-MD5 encoding. > The reason I get tokens for central and a login dialog for local > is that 2b is not working for local. The OAFW client cannot tell what works or does not work for a particular cell. If there are tokens when you logon, then afscreds will not display a dialog. Perhaps you are not using integrated logon. > In UNIX I can workaround the broken 2b by setting 'afs-use-524 = > local' in krb5.conf there is no such setting in OpenAFS/Kerberos > for Windows. All OAFW settings are contained in the registry. It really is inappropriate for AFS configuration data to be stored in Kerberos configuration files. OAFW does support a 524 option. (See registry.txt) Jeffrey Altman
smime.p7s
Description: S/MIME Cryptographic Signature
