On 25 Oct 2007, at 23:34, Jason Edgecombe wrote:
just another data point. We didn't want to have to retrain any users,
but home users must still run "kinit; aklog"
Another data point - we do all of this invisibly. We have a PAM stack
set up which gets Kerberos tickets, AFS tokens and kx509 certifcates
upon login. We provide a command called 'renc', which just
authenticates against a screensaver style PAM stack to renew all of
the user's credentials, and we also renew whenever they unlock the
screen. We've also patched the GNOME kerberos ticket watcher applet
so that it uses a PAM stack, too.
For administrative use, we have a shell alias, 'asu' which looks
something like:
alias asu='pagsh -c "export KRB5CCNAME=$KRB5CCNAME.asu \\
&& kinit $USER/admin \\
&& aklog \\
&& PS1=[\\\\h]\\\\u/admin: PS2=[\\\\h]\\\\u/admin.. /bin/
bash --norc \\
&& kdestroy"'
Which we use to get admin credentials when we need them.
Simon.
_______________________________________________
OpenAFS-devel mailing list
OpenAFS-devel@openafs.org
https://lists.openafs.org/mailman/listinfo/openafs-devel
