Frode Nilsen wrote:

The only problem I encountered was with the pam_krb5afs module on the
clients (running fc3); it won't give a token when logging in. My solution
to this, was to set '-acl system:anyuser l' on my users home volumes, and
running 'aklog' from '.bash_profile'. I don't like that users can list the
content of other peoples home volumes, but this was the only solution I
could find.

I wonder what solution other people have on this problem?


Hi Frode,
        Three days ago I posted the following that solved this for me
under RHEL 4.  You should be able to look at the archives for
the complete thread on the topic.

----------
    To answer my own query, no, it does not break the
RHEL 3.4 machines.  I basically did:
"asetkey list" to get the highest KVNO listed (in my case, 1).
I then created the afs/econ.duke.edu principal and
modified the kvno:

kadmin.local: addprinc afs/econ.duke.edu
WARNING: no policy specified for afs/[EMAIL PROTECTED]; defaulting to no policy
Enter password for principal "afs/[EMAIL PROTECTED]":
Re-enter password for principal "afs/[EMAIL PROTECTED]":
Principal "afs/[EMAIL PROTECTED]" created.
kadmin.local: modprinc -kvno 1 afs/econ.duke.edu
Principal "afs/[EMAIL PROTECTED]" modified.


Add it to the keytab file:
kadmin.local: ktadd -k /etc/krb5.keytab -e des-cbc-crc:v4 afs/[EMAIL PROTECTED]
Entry for principal afs/[EMAIL PROTECTED] with kvno 2, encryption type DES cbc mode with CRC-32 added to keytab WRFILE:/etc/krb5.keytab.


    Use asetkey to add it to AFS:
./asetkey add 2 /etc/krb5.keytab afs/econ.duke.edu

    Test on RH3.4:
(login via ssh)
$ tokens

Tokens held by the Cache Manager:

User's (AFS ID 1001) tokens for [EMAIL PROTECTED] [Expires Apr 27 13:28]
   --End of list--
$ klist
Ticket cache: FILE:/tmp/krb5cc_1001_f8uBQi
Default principal: [EMAIL PROTECTED]

Valid starting     Expires            Service principal
04/26/05 12:01:58  04/27/05 12:01:58  krbtgt/[EMAIL PROTECTED]
        renew until 04/27/05 12:01:58


Kerberos 4 ticket cache: /tmp/tkt1001_GltNi8 Principal: [EMAIL PROTECTED]

  Issued              Expires             Principal
04/26/05 12:01:58  04/27/05 09:16:58  [EMAIL PROTECTED]
04/26/05 12:01:58  04/26/05 23:46:58  [EMAIL PROTECTED]

Test on RHEL 4:
(login via ssh)
$ tokens

Tokens held by the Cache Manager:

User's (AFS ID 1001) tokens for [EMAIL PROTECTED] [Expires Apr 27 12:04]
   --End of list--
$ klist
Ticket cache: FILE:/tmp/krb5cc_1001_OsfvYl
Default principal: [EMAIL PROTECTED]

Valid starting     Expires            Service principal
04/26/05 12:02:59  04/27/05 12:04:29  krbtgt/[EMAIL PROTECTED]
        renew until 04/27/05 12:04:29


Kerberos 4 ticket cache: /tmp/tkt1001_lA8gnk Principal: [EMAIL PROTECTED]

  Issued              Expires             Principal
04/26/05 10:38:08  04/27/05 12:04:29  [EMAIL PROTECTED]
---------

--
Dj Merrill
Sportsman 2+2 Builder #7118

"TSA: Totally Screwing Aviation"
_______________________________________________
OpenAFS-info mailing list
[email protected]
https://lists.openafs.org/mailman/listinfo/openafs-info

Reply via email to