On Fri, 16 Dec 2011, Christopher Odenbach wrote:
This can only be true for 64 Bit Windows 7, because it is running on
our Windows 7 pool with 32 Bit machines. Logging into the machines
gets AFS token AND Kerberos ticket!
Are you sure the Kerberos ticket is not coming from the MSLSA ?
Yes. The pool machines are domain members. Our domain is
'AD.UNI-PADERBORN.DE', our kerberos realm is 'UNI-PADERBORN.DE'. Both
realms have all users with identical usernames and password. There is
also a cross realm trust, but that should be unrelated in this case.
I logon to the machine as AD\odenbach, so the Microsoft credential cache
is filled with [email protected]. But the Network Identity
Manager grabs the credentials and gets the ticket for
[email protected]. So that is exactly the behaviour which I want
to see. But it only works on 32 bit machines.
Just to check I have now created a local account on a pool machine, same
username and same password. If a logon to the machine using this local
account, I do not get a MSLSA ticket (which is clear), but I do get an
MIT Kerberos Ticket and an AFS Token. Renewable and everything.
So what is the difference between 32 bit and 64 bit? Has Microsoft
dropped some feature here?
As I have stated in this thread before there is a bug in the
64bit KfW. You have to patch it (or rename DLLs - not recommended).
It will never work without such modifications (*). Trust me. :-)
We use a similar configuration (without the cross realm trust).
Alternativly there may be a correct 64bit-KFW version available
for Secure Endpoints support customers. You may consider to
contact Secure Endpoints for further assistance.
(*) If I remember correct the relevant hook function at
logon loads the wrong DLL and fails (64bit only).
Jens Wegener
Chemnitz University of Technology
--
Jens Wegener | E-Mail: [email protected]
Universitaetsrechenzentrum | Phone: +49 (0)371 531 31137
TU Chemnitz, D-09107 Chemnitz | Fax: +49 (0)371 531 8 31137
_______________________________________________
OpenAFS-info mailing list
[email protected]
https://lists.openafs.org/mailman/listinfo/openafs-info
