On 20.04.2012 12:53, Anders Magnusson wrote: > On 04/20/2012 09:35 AM, Lars Schimmer wrote: >>> From memory, during our Windows XP days (different OS, different >>> OpenAFS, different Network Identity Manager, different MIT Kerberos >>> for Windows), just locking and unlocking the computer refreshed the >>> AFS ticket. >>> >>> How has this changed for Windows 7 and our current setup, as this >>> no longer seems to be working? >> Remember the 2 different credential caches of windows - one of system >> at login and one for NetworkID Manager. >> >> On Login you get a ticket/token with the Windows Builtin credential >> cache which CANNOT be accessed by Network ID Manager. >> Only after you obtained a token manual in NetworkID manager it renews >> the token automatic and you can set the token lifetime with Network ID >> manager. > The problem is: > 1) Automatic renewal of the tgt by NiM do not work on Windows 7. It did > on XP. > 2) Letting NiM fetch a new tgt when the user unlocks the screen do not > work. It did on XP.
Windows 7 is not Windows XP, MS changed a lot based on security and user management. Read the OpenAFS release notes about obtaining tokens on login: http://www.openafs.org/dl/openafs/1.7.10/winxp/ReleaseNotes/html/ch03s06.html "Integrated Logon will not transfer Kerberos v5 tickets into the user's logon session credential cache. This is no longer possible on Vista and Windows 7." > It gives a bad user experience to tell them that they need to fetch > stuff manually, > since they did not need to do so on XP but now on Windows 7. Therefore > we need to > find out what is wrong since this was not a problem before (with XP). It is a security precaution situation made by MS. Go and ask MS to change it. > -- Ragge > MfG, Lars Schimmer -- ------------------------------------------------------------- TU Graz, Institut für ComputerGraphik & WissensVisualisierung Tel: +43 316 873-5405 E-Mail: l.schim...@cgv.tugraz.at Fax: +43 316 873-5402 PGP-Key-ID: 0x4A9B1723 _______________________________________________ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info