Christos Triantafyllidis wrote:
Jeffrey Altman wrote:
The only purpose of the AFS_Logoff_Event is to delete the tokens.
Remove the AFS_Logoff_Event from the registry. If you still have a problem, it is not related to the possession of tokens.
I just tried this. no luck.
If you have removed the AFS_Logoff_Event (you did reboot?), then AFS is not deleting the tokens. Are you deleting the tokens via some other operation?
For example, do you have Leash32 (KFW) configured to delete tickets/tokens when Leash is closed?
Of course, this does not answer the question of why IsPathInAFS() is returning FALSE. What is the return code from the pioctl() call?
I tried something more, i put my profile dir in a folder with acls full access to user system:anyone. the profile was uploaded. i think that proves that the problem is on tokens and not on the unicode names etc...
this proves that you are having access problems.
i might have lost something in the whole thing. Can someone send a step by step guide to roaming profiles on afs? (assuming no OpenAFS client or mit kerberos installed)
I don't think such a guide exists. After you finish setting this up perhaps you want to write one.
If it is possible to send more than "Installing OpenAFS". Something like "Installing OpenAFS, in the installation active intergrated logon" etc...
* Install OpenAFS for Windows and Kerberos for Windows.
- configure the cell to be the one for which user tokens must
be obtained- configure the use of Integrated Logon
- crypt mode and Freelance mode can be set to the value of your choice
- ensure that the CellServDB file or DNS AFSDB records contain the
information for your AFS servers - ensure that the krb5.ini file or DNS SRV records contain the
information for your Kerberos 5 KDCs. - ensure that there is an appropriate domain to realm mapping in
the krb5.ini file* Check to ensure that you can obtain tokens for the user.
* Map the user account profile to the appropriate AFS UNC path using the tools for the version of Windows Server or Samba server you are using.
I believe that is an appropriate overview.
I tried Rodney's AFSLogonShell guide but i had no luck (as he told me it is not updated for current versions of mit kerberos, openafs) although it was a wonderful work.
Rodney's guide is close enough to work. The only thing that has changed is that you want to use UNC paths \\AFS\cellname\path instead of global drive mappings.
Something else that i thought of:
Is it possible to create a keytab for user SYSTEM? if so how can i make SYSTEM use it? adding code at AFS_Logoff_Event is a good place? (i don't know if it is executed as SYSTEM or as user who is loggin off).
AFS_Logoff_Event only serves one purpose. It deletes the current user's
tokens. As such, it is executed as the user. If you delete this function from the registry then AFS will never delete tokens. If tokens are being deleted it is being done somewhere else.
Of course, if you pioctl() calls are failing during AFS_Logoff_Event perhaps something else is wrong. I will once again ask, what is the
return code of the pioctl() call within IsPathInAfs()?
Jeffrey Altman
P.S. - Feel free to send me a ticket to Greece to debug this problem on-site. I did not make it to Thessaloniki this summer when I was in your country. I would enjoy the trip.
Christos Triantafyllidis, Aristotles University of Thessaloniki, Greece Department Of Physics
smime.p7s
Description: S/MIME Cryptographic Signature
