KfW Integrated Logon

Sensei senseiwa at tin.it
Sat Oct 30 06:36:02 EDT 2004

Jeffrey Altman wrote:
> When OpenAFS is used on Windows and the user account stores the
> Windows Profile in the AFS file system there is a requirement that
> the AFS Client Service (afs file system client) possess the Kerberos
> based AFS authentication token prior to the moment that Windows
> attempts to read the profile out of the file system.  This is
> performed by installing a Network Provider module into the Windows
> Login process.  The Network Provider is given access to the user's
> name and password so that the necessary credentials can be obtained
> prior to the creation of the Logon Session for the user.  Creating
> the Logon Session requires access to the Windows Profile for the
> user.

Well, I've been wandering about implementing a real integrated logon, 
and it seems that what you're stating does not work so easily (at my 
knowledge, it won't work).

It's possible to have windows authenticate to a kdc. OpenAFS gets the 
right ticket and token after the authentication. Anyway, a local profile 
it's still needed to create a login, since the profile isn't readable 
while windows logs on.

Are you saying that you succeeded in making windows use an external kdc 
to authenticate, storing windows profiles on the user's volume? All this 
things without creating a local profile for each user (principal) and 
without using AD in X-realm? If so, how did you get that? Samba in some 
weird mode? Ldap?

Sensei <mailto:senseiwa at tin.it> <pgp:8998A2DB>

The optimist says "Tomorrow is sunday".
The pessimist says "The day after tomorrow's monday". (Gustave Flaubert)

More information about the Kerberos mailing list