Jim Rees wrote:
Personally I can't get -K to work, but it might be due to my PAM configuration.
I couldn't get GSSAPIDelegateCredentials to work until I also set GSSAPIAuthentication. I think you also need forwardable=true in krb5.conf. But the biggest problem for me is it only works for a single realm.
Only works for a single realm? The gssapi delegates the user's credentials.
Is the problem really that the AFS cell and KRB5 realms don't quite match up as expected? This could be related to AFS support for foreign users.
I wish we still had afs token forwarding in ssh.
Glad it is gone, but it does have one advantage over the gssapi delegation. The token is limitd in that it is only for the AFS cell, where as the delegated TGT is a normally a full TGT, with no restrictions. Kerberos/gsspai needs to address this better to be able to delegate limited TGTs or selected service tickets.
_______________________________________________ OpenAFS-info mailing list [email protected] https://lists.openafs.org/mailman/listinfo/openafs-info
--
Douglas E. Engert <[EMAIL PROTECTED]> Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444 _______________________________________________ OpenAFS-info mailing list [email protected] https://lists.openafs.org/mailman/listinfo/openafs-info
