On 04/20/2012 01:30 PM, Lars Schimmer wrote:
On 20.04.2012 12:53, Anders Magnusson wrote:
On 04/20/2012 09:35 AM, Lars Schimmer wrote:
From memory, during our Windows XP days (different OS, different
OpenAFS, different Network Identity Manager, different MIT Kerberos
for Windows), just locking and unlocking the computer refreshed the
AFS ticket.
How has this changed for Windows 7 and our current setup, as this
no longer seems to be working?
Remember the 2 different credential caches of windows - one of system
at login and one for NetworkID Manager.
On Login you get a ticket/token with the Windows Builtin credential
cache which CANNOT be accessed by Network ID Manager.
Only after you obtained a token manual in NetworkID manager it renews
the token automatic and you can set the token lifetime with Network ID
manager.
The problem is:
1) Automatic renewal of the tgt by NiM do not work on Windows 7. It did
on XP.
2) Letting NiM fetch a new tgt when the user unlocks the screen do not
work. It did on XP.
Windows 7 is not Windows XP, MS changed a lot based on security and user
management.
Read the OpenAFS release notes about obtaining tokens on login:
http://www.openafs.org/dl/openafs/1.7.10/winxp/ReleaseNotes/html/ch03s06.html
"Integrated Logon will not transfer Kerberos v5 tickets into the user's
logon session credential cache. This is no longer possible on Vista and
Windows 7."
Yes, I have seen that, but that do not explain the behaviour since I
have no wish to fetch thingd from MSLSA.
Integrated logon works, but fetching new krbtgt at unlock of the login
window does not.
And BTW, importing tickets from MSLSA to API seems to work (pressing
import button).
-- Ragge
It gives a bad user experience to tell them that they need to fetch
stuff manually,
since they did not need to do so on XP but now on Windows 7. Therefore
we need to
find out what is wrong since this was not a problem before (with XP).
It is a security precaution situation made by MS. Go and ask MS to
change it.
-- Ragge
MfG,
Lars Schimmer
_______________________________________________
OpenAFS-info mailing list
OpenAFS-info@openafs.org
https://lists.openafs.org/mailman/listinfo/openafs-info
