On 8/24/2017 12:49 PM, John D'Ausilio wrote: > The system I'm doing a POC with uses local accounts in production on > both linux and windows boxes, which are headless.
The use of local Windows accounts means that there is no Kerberos authentication available via Windows logon through the LSA. Are these systems joined to a domain? If so, why the choice of local accounts versus domain accounts? > On linux, k5start with a keytab for the afs user works fine for keeping > a fresh token available for the local account. > On windows, I'm having problems getting similar functionality. > First attempt was a scheduled task as the local user to kinit with the > keytab and then aklog .. it runs without errors but other shells (new or > existing) for the same user don't see any tickets (klist) or tokens. > Separate caches? Separate AFS Process Authentication Groups. Each user session on Windows is the root of an independent AFS Process Authentication Group. The tokens acquired by the scheduled task are not in the same context as the user's desktop session. > Second attempt was with Network Identity Manager, which would be perfect > if I can figure out how to make it use my keytab instead of typing a > password. You are correct that NIM does not at present have the ability to use a keytab for authentication. Adding such a capability which be easy. I will point out that the reason I never added support for file based keytabs on Windows is because I consider them to be relatively insecure compared to the encrypted key store infrastructure that Windows provides. Unfortunately I've never had the time or other resources necessary to implement a Windows key store keytab type for Heimdal or other. Nor have I had the time to implement the kernel based version of the CCAPIv3 which I've wanted for almost two decades. > Anyone have another solution? 1. Porting k5start to Windows. 2. Writing an auto-run notification process (although that is what NIM is.) Jeffrey Altman
<<attachment: jaltman.vcf>>
smime.p7s
Description: S/MIME Cryptographic Signature
