1. Is the AFS service ticket the only thing needed to make an afs token?
2. I.e. does pts handle all the afs permissions from then on?
3. can "kinit admin" now authenticate to AD instead of a krb5 server?
thanks
tedc
Douglas E. Engert wrote:
ted creedon wrote:
What happens to non service tickets?
Not sure what you mean. The user's PAC is added to the initial TGT for
the user
then copied to service tickets and cross-realm TGTs and the service
ticket for AFS.
The NO_AUTH_REQUIRED bit would only be set on the account for the AFS
server
principal in AD, then when a service ticket is created for AFS the AD
KDC will
not copy the user's PAC to the AFS service ticket.
Tickets for other services will still get a PAC.
Since the AFS cache manager has some 12000 byte limits on the size of
the ticket, and it does not use the PAC anyway, telling the KDC to
not send
the PAC to AFS means AFS does not have to deal with user is lots of AD
groups.
tedc
Douglas E. Engert wrote:
From the article:
"New resolution for problems that occur when users belong to many
groups"
http://support.microsoft.com/?kbid=327825
It looks like XP and W2003 no longer have a max_token_size limit,
and thus
the size of a ticket could now be above 12,000 bytes.
So for any sites that use Active Directory as the KDC and OpenAFS,
keep this folloeing option in mind for the afs/[EMAIL PROTECTED] principal
"An update is available that introduces the NO_AUTH_REQUIRED flag to
the UserAccountControl property in Windows Server 2003 and in
Windows 2000"
http://support.microsoft.com/kb/832572
_______________________________________________
OpenAFS-info mailing list
[email protected]
https://lists.openafs.org/mailman/listinfo/openafs-info
_______________________________________________
OpenAFS-info mailing list
[email protected]
https://lists.openafs.org/mailman/listinfo/openafs-info
