Douglas E. Engert wrote:
Ryan L. Means wrote:
Good afternoon,
We are just starting to use AFS here at the School of Law at UC
Berkeley. Everything seems to be working well with OpenAFS for Windows
and the integrated logon functionality that grabs a Kerberos 5 ticket
and then the AFS token. Unfortunately, it seems that when a user locks
their workstation, leaves for longer than the 10 hour ticket
expiration period, and then comes back, the ticket and token have
expired and the act of unlocking the workstation doesn't get another set.
We do have an abnormal setup here where there are two realms, one MIT,
one AD.
Different realm names?
Yes, the BERKELEY.EDU realm exists on the MIT KDC, but there is another
realm name for the Windows AD KDC. To make a long story short, the
administrators of our previously existing MIT KDC infrastructure did not
trust that Windows AD would provide an acceptable KDC. For a while we
even had a cross-realm trust and users would log into their workstations
with the MIT realm identity instead of the AD one (that is no longer the
case). There are plans to merge the two KDCs now, but it could be over a
year before that happens, if it happens at all.
Is the AFS access then using K4 or K5 to get AFS tokens?
K5 from the MIT KDC.
Is there any reason that you could not use the AD K5 realm to get the
afs K5 ticket? At least for Windows users?
Other than the problem of it being very confusing for our users that
move from Windows to Mac to Unix, no. The problem is that the protection
server currently only allows one identity for each AFS user (right?). So
if we could have both identities in there there wouldn't be any problems
at all.
As Jeff pointed out in a prevuios note there is no notification for th
screen unlock where the netmgr could get the username and password to use
with the second realm.
With K5, tickets may be renewable and the netmgr will renew K5 tickets
and get a new AFS token so the 10 hour limit is not a real issue
till the RenewUntil time was reached. If your MIT real is using K5
does it allow renewable tickets, and for how long?
Yes, it does allow renewable tickets for up to 7 days. But, it doesn't
seem like netmgr is renewing them when the workstation is locked. That
would help the problem because then users who never log out would only
be prompted every 7 days...
If you could use the Windows KDC with AFS, the netmgr could use
the MSLSA to get the updated TGT created by screen unlock with a new
RenewUntil time.
Right, but this isn't going to be workable for us until the realms are
merged.
Jeff,
The netmgr can import tickets from MSLSA, but only appears to do this
at login or when the import credentials is selected. Could it do this
on a periodic bases to check if the MSLA TGT might have been updated
by a screen unlock? Or did I miss something?
So if Ryan can use the Windows DC as the KDC, with renewable tickets
with a reasonable RenewUntil time, and the users unlock their machines
some time withing the RenewUntil time, they would never loose
their AFS token.
Thanks, Doug!
_______________________________________________
OpenAFS-info mailing list
[email protected]
https://lists.openafs.org/mailman/listinfo/openafs-info
