Re: [OpenAFS] tokens at login (pam_krb5afs module)

Tue, 26 Apr 2005 09:09:21 -0700 

Dj Merrill wrote:

Hi Chris,
    Will this break my existing and working RHEL 3.4 systems?



        To answer my own query, no, it does not break the
RHEL 3.4 machines.  I basically did:
"asetkey list" to get the highest KVNO listed (in my case, 1).
I then created the afs/econ.duke.edu principal and
modified the kvno:

kadmin.local: addprinc afs/econ.duke.edu
WARNING: no policy specified for afs/[EMAIL PROTECTED]; defaulting to no policy
Enter password for principal "afs/[EMAIL PROTECTED]":
Re-enter password for principal "afs/[EMAIL PROTECTED]":
Principal "afs/[EMAIL PROTECTED]" created.
kadmin.local: modprinc -kvno 1 afs/econ.duke.edu
Principal "afs/[EMAIL PROTECTED]" modified.

Add it to the keytab file:
kadmin.local: ktadd -k /etc/krb5.keytab -e des-cbc-crc:v4 afs/[EMAIL PROTECTED]
Entry for principal afs/[EMAIL PROTECTED] with kvno 2, encryption type DES cbc mode with CRC-32 added to keytab WRFILE:/etc/krb5.keytab.

        Use asetkey to add it to AFS:
./asetkey add 2 /etc/krb5.keytab afs/econ.duke.edu

        Test on RH3.4:
(login via ssh)
$ tokens

Tokens held by the Cache Manager:

User's (AFS ID 1001) tokens for [EMAIL PROTECTED] [Expires Apr 27 13:28]
   --End of list--
$ klist
Ticket cache: FILE:/tmp/krb5cc_1001_f8uBQi
Default principal: [EMAIL PROTECTED]

Valid starting     Expires            Service principal
04/26/05 12:01:58  04/27/05 12:01:58  krbtgt/[EMAIL PROTECTED]
        renew until 04/27/05 12:01:58


Kerberos 4 ticket cache: /tmp/tkt1001_GltNi8
Principal: [EMAIL PROTECTED]

  Issued              Expires             Principal
04/26/05 12:01:58  04/27/05 09:16:58  [EMAIL PROTECTED]
04/26/05 12:01:58  04/26/05 23:46:58  [EMAIL PROTECTED]

Test on RHEL 4:
(login via ssh)
$ tokens

Tokens held by the Cache Manager:

User's (AFS ID 1001) tokens for [EMAIL PROTECTED] [Expires Apr 27 12:04]
   --End of list--
$ klist
Ticket cache: FILE:/tmp/krb5cc_1001_OsfvYl
Default principal: [EMAIL PROTECTED]

Valid starting     Expires            Service principal
04/26/05 12:02:59  04/27/05 12:04:29  krbtgt/[EMAIL PROTECTED]
        renew until 04/27/05 12:04:29


Kerberos 4 ticket cache: /tmp/tkt1001_lA8gnk
Principal: [EMAIL PROTECTED]

  Issued              Expires             Principal
04/26/05 10:38:08  04/27/05 12:04:29  [EMAIL PROTECTED]

        One interesting note is that "klist" under
3.4 gives an entry for "[EMAIL PROTECTED]"
whereas for 4 it does not.  However, it seems to work - I can
access files in AFS, etc.

        I think it is working - I'll test more to find out.
Thanks for the pointers!!!!

-Dj

--
Dj Merrill
Sportsman 2+2 Builder #7118

"TSA: Totally Screwing Aviation"
_______________________________________________
OpenAFS-info mailing list
[email protected]
https://lists.openafs.org/mailman/listinfo/openafs-info

Reply via email to