I'm using Solaris for my servers, two are Solaris 10 running 1.3.80 and one is still Solaris 9 running 1.2.13.
I'm using NIS for account information.
NIS, I see.
Which Kerberos are you using?
For KDC, I have debian woody's packages, so MIT.
I compiled and am using MIT Kerberos 1.3.1 or possibly 1.3.6, not sure exactly.
I thought someone had previously mentioned a pure Kerberos 5 aklog available somewhere, but I haven't yet tried to compile it on AIX nor do I remember where it is available from.
We can compile (at least I hope) aklog from sources, but the problem is that I don't see where to attach aklog, which has to be run before a session is opened.
I just downloaded and compiled gssklog on AIX: ftp://achilles.ctd.anl.gov/pub/DEE/
Of course, this requires gssklogd running on your AFS servers, but this was an acceptable alternative for us since we also use gssklog from our Windows 2003 machines.
Mmmh... another daemon, another port open. We can give it a try anyway. How can you use it on aix? I mean, how do you start gssklog in your config files?
I have an AIX 5.1 and 5.2 machine with AFS and Kerberos working quite well. Only issue is that users do not automatically aquire tokens at login. They simply run gssklog to obtain tokens. This is acceptable in my environment. You might be able to get a pam_run or similar module to run an aklog or gssklog at login on AIX 5.2. (AIX 5.1 has no real PAM.) Is this the only problem you are having?
I can't use LDAP to retrieve user information. And... it's quite bad not having any token at login! :) Do you use ssh or a direct login?
There was a recent post about afs_dynamic_kerbauth working in 1.3.80 but I still run 1.2.13 on my AIX machines. Can someone confirm that it does indeed work against a Kereberos 5 KDC? afs_dynamic_kerbauth does NOT appear to work against a Kerberos 5 KDC in the 1.2.13 version, although I will re-test if someone believes it does.
I'd be happy staying with the stable branch... If I'm right afs_dynamic_kerbauth works with kerberos 4, not 5... is it so?
-- Sensei <mailto:[EMAIL PROTECTED]> <pgp:8998A2DB>
The difference between stupidity and genius is that genius has its limits. Albert Einstein
signature.asc
Description: OpenPGP digital signature
