KfW Integrated Logon
Sensei
senseiwa at tin.it
Sat Oct 30 06:36:02 EDT 2004
Jeffrey Altman wrote:
> When OpenAFS is used on Windows and the user account stores the
> Windows Profile in the AFS file system there is a requirement that
> the AFS Client Service (afs file system client) possess the Kerberos
> based AFS authentication token prior to the moment that Windows
> attempts to read the profile out of the file system. This is
> performed by installing a Network Provider module into the Windows
> Login process. The Network Provider is given access to the user's
> name and password so that the necessary credentials can be obtained
> prior to the creation of the Logon Session for the user. Creating
> the Logon Session requires access to the Windows Profile for the
> user.
Well, I've been wandering about implementing a real integrated logon,
and it seems that what you're stating does not work so easily (at my
knowledge, it won't work).
It's possible to have windows authenticate to a kdc. OpenAFS gets the
right ticket and token after the authentication. Anyway, a local profile
it's still needed to create a login, since the profile isn't readable
while windows logs on.
Are you saying that you succeeded in making windows use an external kdc
to authenticate, storing windows profiles on the user's volume? All this
things without creating a local profile for each user (principal) and
without using AD in X-realm? If so, how did you get that? Samba in some
weird mode? Ldap?
--
Sensei <mailto:senseiwa at tin.it> <pgp:8998A2DB>
The optimist says "Tomorrow is sunday".
The pessimist says "The day after tomorrow's monday". (Gustave Flaubert)
More information about the Kerberos
mailing list