Ryan L. Means wrote:
Good afternoon,
We are just starting to use AFS here at the School of Law at UC
Berkeley. Everything seems to be working well with OpenAFS for Windows
and the integrated logon functionality that grabs a Kerberos 5 ticket
and then the AFS token. Unfortunately, it seems that when a user locks
their workstation, leaves for longer than the 10 hour ticket expiration
period, and then comes back, the ticket and token have expired and the
act of unlocking the workstation doesn't get another set.
We do have an abnormal setup here where there are two realms, one MIT,
one AD.
Different realm names?
> The passwords are synchronized between the realms, but the user
does log into their workstation using the AD identity and access AFS
resources with the MIT identity.
Is the AFS access then using K4 or K5 to get AFS tokens?
So far, with the integrated login, this
hasn't been a problem. Is this locking/unlocking issue caused by the
split realms, or is there another force at work?
Thanks to anyone who can help!
Is there any reason that you could not use the AD K5 realm to get the
afs K5 ticket? At least for Windows users?
As Jeff pointed out in a prevuios note there is no notification for th
screen unlock where the netmgr could get the username and password to use
with the second realm.
With K5, tickets may be renewable and the netmgr will renew K5 tickets
and get a new AFS token so the 10 hour limit is not a real issue
till the RenewUntil time was reached. If your MIT real is using K5
does it allow renewable tickets, and for how long?
If you could use the Windows KDC with AFS, the netmgr could use
the MSLSA to get the updated TGT created by screen unlock with a new
RenewUntil time.
Jeff,
The netmgr can import tickets from MSLSA, but only appears to do this
at login or when the import credentials is selected. Could it do this
on a periodic bases to check if the MSLA TGT might have been updated
by a screen unlock? Or did I miss something?
So if Ryan can use the Windows DC as the KDC, with renewable tickets
with a reasonable RenewUntil time, and the users unlock their machines
some time withing the RenewUntil time, they would never loose
their AFS token.
Ryan
_______________________________________________
OpenAFS-info mailing list
[email protected]
https://lists.openafs.org/mailman/listinfo/openafs-info
--
Douglas E. Engert <[EMAIL PROTECTED]>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444
_______________________________________________
OpenAFS-info mailing list
[email protected]
https://lists.openafs.org/mailman/listinfo/openafs-info
