Lars Schimmer wrote: > Hi! > > Today I did some tests on some workstations. > I first deleted all old Kerberos for Windows <3.2 and the kerberos > config. I deleted all documents and settings from the windows client and > I installed OpenAFS 1.5.20. > After some reboots I installed KfW 3.2 with the leash manager. > I set in the options to disable krb4 plugin, set "obtain credentials > automatic" and added the correct realm and server in the leash manager. > I check against krb5 server from our Win 2003 AD domain.
Are you really using Leash and not Network Identity Manager? Network Identity Manager is the credential manager for which OpenAFS provides an AFS credential provider. The Leash AFS support has been removed by MIT. > And I did NOT activate the "obtain token while login" in OpenAFS, I > remember I should leave that action to the leash manager in which I > activated the "obtain AFS token" function. > > After a reboot I tried to login with my testuser. The user has a roaming > profile in AFS space (in AD server \\AFS\cgv.tugraz.at\profiles\testuser > as path) and it should use that (it was used often before). > But while trying to login, windows tells me, access denied to the afs > path (??). So Win create the temp profile on HD and I see the leash > manager which I opened and see "obtain credential while logigng in" NOT > activated. What??. And so it didnĀ“t get a token. Token acquisition during the Windows logon for profile access requires the use of "Integrated Logon". If you did not turn on "Integrated Logon", do so. See the release notes. If you don't use "Integrated Logon" there will be no tokens acquired prior to Windows attempt to load the profile. (Obtain token with login). > On another machine I left the testuser profile (which is a roaming > profile, but Windows XP copies it on disk and does not delete it) on > client PC and while logging in as testuser, Win tells me "no roaming > profile found" and loads it from HD. After logging in I got a > ticket/token and can access AFS. > > I assume it to be the normal way (no KFW loaded/started while obtaining > tickets). > Is this the official way it should be? > > But after I activated the "obtain token with login" in AFS I could login > as testuser on both clients and obtained my profile from the AD server. > > So I still need this option to use roaming profile on AFS space. Yes. Network Identity Manager does not run at Windows logon time. Jeffrey Altman Secure Endpoints Inc.
smime.p7s
Description: S/MIME Cryptographic Signature
