Jeffrey Hutzelman wrote:
On Friday, February 23, 2007 12:03:58 PM -0600 "Douglas E. Engert"
<[EMAIL PROTECTED]> wrote:
So to force sshd to use a session based cache we added a
"pam_krb5_cache.so.1 cache=/tmp/krb5cc_%u_%p" to set the cache name.
Horray for extensibility!
Also as you must already know, I have bee bugging them to
release the Kerberos header files for Solaris 10, so one could
compile *aklog* using the Solaris Kerberos. (This is reported to be
in "update 4". looks like this might be another 6 months!)
We have ben using OpenSolaris Kerberos header files with Solaris 10,
and so far it works.
There are krb5 headers in /usr/include/kerberosV5 on my snv_56 box.
On my Ultra 25 with Solaris 10 and every other Solaris 10 box, they
just have the two MIT copyright files.
As for home directories; we've been putting users' home
directories in AFS for O(15) years, though we only appear to have been
supporting Solaris since 1995. If you have specific issues, please
describe them instead of asking that Sun be "willing to state a desire"
for things to work that already do.
There are still issues with having to have an AFS token before any
files in the home directory are accessed, even the .k5login. Since this
is a general OS problem.
That's hardly specific to Solaris, nor really something Sun can do
anything about, short of using a different authorization model. My
usual recommended answer to this problem is to be less fascist about
home directory ACL's, but of course that's not for everyone.
Same here. Symlinks to a .Dotfile directory. Messy but works.
(My home directory has been in AFS since 1992.)
But until this general problem can be solved on *all* platforms
one can not tighten down the ACLs on the home directory. Maybe
get Sun do somehting about it on their systems. NFSv4 should
have the same problem, so maybe they will.
The point is things don't work as well as they could, partly because the
OS developers don't use AFS. This "acceptance of a "gift" might be the
time to get Sun to look a little closer at how things really work.
Bear in mind that at the moment, we're not talking about whether we
should accept a grant. We're talking about whether we should ask for
one. (In fact, even that isn't really a topic for openafs-info, but
it's too late to do anything about that now).
-- Jeff
--
Douglas E. Engert <[EMAIL PROTECTED]>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444
_______________________________________________
OpenAFS-info mailing list
[email protected]
https://lists.openafs.org/mailman/listinfo/openafs-info
