On 12/16/2011 9:56 AM, Billy Beaudoin wrote:
> And that same bug got included in the Heimdal credential cache? Or is
> it literally the same CC from KfW?
> 
> Billy Beaudoin
> ITECS Systems
> NC State University

The bug has nothing to do with the credential cache.  The bug is in the
kfwlogon.dll network provider and associated tools which is a very ugly
bit of code.

The kfwlogon.dll network provider is not included in the Heimdal
distribution.

Here is the problem.  The network provider executes within a different
logon session and with different user credentials than the end user
desktop shell and its child processes.  The API: credential cache server
(krbcc32s.exe or krbcc64s.exe) authenticates the incoming requests to
ensure that tickets stored in one logon session cannot be accessed by
another logon session.  Each logon session gets its own instance of the
credential cache server.

Therefore, it is not possible to create an API: credential cache from
the network provider to store the credentials into such that they can be
accessed by the applications in the user's eventual logon session.  What
kfwlogon.dll does is write the credentials to a FILE: cache and then
another bit of code that is executed by the Explorer Shell logon handler
copies the FILE: cache contents into an API: cache.

With OpenAFS 1.7 and the native IFS driver we now have Authentication
Group support on Windows.  My plan is to implement a new credential
cache built on top of Authentication Groups.  The Authentication Group
for the logon session is created by the OpenAFS Network Provider
(afslogon.dll) and the AFS token obtained at logon is stored within it.

The authentication group approach is much cleaner and much more secure.
  The project is unfunded as is much of the development of the OpenAFS
Windows client and Heimal.  My priorities at the moment are fixing the
bugs in the OpenAFS Windows client and then I will return to working on
Heimdal.

Jeffrey Altman

Attachment: signature.asc
Description: OpenPGP digital signature

Reply via email to