Thanks to Jim Doyle at Boston University!
Daniel
----- Forwarded message from Jim Doyle -----
Date: Wed, 22 Apr 1998 14:02:18 -0400 (EDT)
From: Jim Doyle <[EMAIL PROTECTED]>
To: "Daniel D. Arrasjid" <[EMAIL PROTECTED]>
Subject: Re: long running DCE jobs?
> We think this is a general problem for batch jobs that use k4/k5 and/or
> AFS/DFS services. What have people been doing in the k4/k5/AFS/DFS
> space to deal with this problem?
> Outside of keytabs. We're looking at creating a batch job wrapper
> which requires the username/password of the user, obtains the
> credential, and refreshes it for the duration of the process.
> Any thoughts?
Transarc has a tool that does this... Its called 'dce_refresh'. You can
feed it a cleartext password, or point it at a keytab. It establishes
a new context & PAG, and keeps the password in memory... A thread runs
in the parent process that refreshes the DCE login context before
it expires.
If you want to pick up a copy, its in my AFS home directory:
/afs/bu.edu/usr/it/jrd/work/Authentication/DCE/dce_login_refresh
I also have some other toys of interest to some people:
1. dce_login from DCE 1.2.2. Takes the '-k <keytabfile>' option.
directory: /afs/bu.edu/usr/it/jrd/work/Authentication/DCE/dce_login_keytab
The latest Transarc DCE supplies this feature, older DCE implementations
dont. If you need it, and dont have, this is it.
2. dce_mkacctskel, dce_setkrb5key
directory: /afs/bu.edu/usr/it/jrd/work/Authentication/DCE/dce_set_krb5_keys
These are some simple tools that I've written... They basically get
around a problem with dcecp insisting that you type the administrators
password to a prompt for certain functions (i.e. creating a new acct,
setting the password).
dce_setkrb5key allows you to set the Kerberos V keystring value
for a particulary account... This may be useful for people who have
Kerberos 5 keys stored somewhere and wish to move them into DCE.
We use this for our account administration infrastructure.. We convert
passwords to AFS and Krb5 keys, pump them to DCE and AFS, and store
copies in a very secure database.
It could be easily adapted to accept cleartext passwords instead
of hexadecimal strings representing a Krb5 Key.
3. afs_login_refresh, afs_login_keytab
directory: /afs/bu.edu/usr/it/jrd/work/Authentication/AFS
These are some AFS tools that I wrote, borrowing heavily from
the Transarc 'dce_refresh' tool.
afs_login_keytab basically establishes a PAG from a Krb4 srvtab file.
afs_login_refresh uses the same srvtab files to refresh the AFS token
just before it expires.
-- Jim
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Jim Doyle Boston University Information Technology
Systems Analyst/Programmer email: [EMAIL PROTECTED] Distributed Systems
http://www.bu.edu/~jrd/ tel. (617)-353-8248
-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-++--+-+-+-+-+-+-
----- End of forwarded message from Jim Doyle -----
--
Daniel D. Arrasjid Computing and Information Technology
Voice: (716) 645-6153 State University of New York at Buffalo
Fax: (716) 645-5972 301 Computing Center, Buffalo, NY 14260
E-Mail: [EMAIL PROTECTED] WWW: http://www.acsu.buffalo.edu/~daniel
PGP public key: http://www.acsu.buffalo.edu/~daniel/key.html
