Nicolas Williams wrote:
> > # One or both of GSSAPIAuthentication and GSSAPIKeyExchange must be on > GSSAPIAuthentication yes > GSSAPIKeyExchange yes > GSSAPIStoreDelegatedCredentials yes > The defaults for all of these is yes, we did not have to change the the /etc/ssh/sshd_config. > Restart the ssh service if you had to change this. > > 2) On the client side make sure that you have credentials to delegate > (klist -f should show a forwardable TGT in your ccache). > Yes. > 3) On the client make sure that you're not disabling the relevant > ssh_config(4) parameters in /etc/ssh/ssh_config or in ~/.ssh/config, > particularly GSSAPIDelegateCredentials. > yes. > To debug this try running ssh -vvv. If that does not produce enough > information then try running sshd in dbug mode as well: > > # /usr/lib/ssh/sshd -dddp 2222 > ... > > % ssh -p 2222 ... > ... > > Capture the output and send it to me. > >>> We force ssh via PAM to be a session based cred, and get AFS token too: >>> >>> # Used by GSS, but ssh has bug about saving creds, so we use session >>> based creds. >> That kind of explains things then. I guess it's a bug, eh? > > It's not. I disagree. Using a user based cache vs a session based cache can lead to deleted tickets when a session ends, or user logs off the console. We also saw that only the TGT would get updated, and not the other tickets in the cache. Doug is doing something that is very specific to his site. Not really, Jeff Blaine is also on the AFS list, and I bet that where he is heading is getting AFS tokens... > > Nico -- Douglas E. Engert <[EMAIL PROTECTED]> Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444 ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
