On 12/16/2011 9:56 AM, Billy Beaudoin wrote: > And that same bug got included in the Heimdal credential cache? Or is > it literally the same CC from KfW? > > Billy Beaudoin > ITECS Systems > NC State University
The bug has nothing to do with the credential cache. The bug is in the kfwlogon.dll network provider and associated tools which is a very ugly bit of code. The kfwlogon.dll network provider is not included in the Heimdal distribution. Here is the problem. The network provider executes within a different logon session and with different user credentials than the end user desktop shell and its child processes. The API: credential cache server (krbcc32s.exe or krbcc64s.exe) authenticates the incoming requests to ensure that tickets stored in one logon session cannot be accessed by another logon session. Each logon session gets its own instance of the credential cache server. Therefore, it is not possible to create an API: credential cache from the network provider to store the credentials into such that they can be accessed by the applications in the user's eventual logon session. What kfwlogon.dll does is write the credentials to a FILE: cache and then another bit of code that is executed by the Explorer Shell logon handler copies the FILE: cache contents into an API: cache. With OpenAFS 1.7 and the native IFS driver we now have Authentication Group support on Windows. My plan is to implement a new credential cache built on top of Authentication Groups. The Authentication Group for the logon session is created by the OpenAFS Network Provider (afslogon.dll) and the AFS token obtained at logon is stored within it. The authentication group approach is much cleaner and much more secure. The project is unfunded as is much of the development of the OpenAFS Windows client and Heimal. My priorities at the moment are fixing the bugs in the OpenAFS Windows client and then I will return to working on Heimdal. Jeffrey Altman
signature.asc
Description: OpenPGP digital signature
