Well, I already have in that section...
<key>authenticate</key>
<dict>
<key>class</key>
<string>evaluate-mechanisms</string>
<key>mechanisms</key>
<array>
<string>builtin:authenticate</string>
<string>builtin:reset-password,privileged</string>
<string>builtin:authenticate,privileged</string>
<string>builtin:krb5authnoverify,privileged</string>
<string>PKINITMechanism:auth,privileged</string>
<string>aklog:cnf.cornell.edu,privileged</string>
</array>
</dict>
and the screensaver refreshes Kerberos tickets but not AFS tokens. You
had mentioned adding the aklog to the mechanisms in the
system.login.screensaver, but that section doesn't even have a
mechanisms section:
<key>system.login.screensaver</key>
<dict>
<key>class</key>
<string>rule</string>
<key>comment</key>
<string>The owner or any administrator can unlock the
screensaver.</string>
<key>rule</key>
<string>authenticate-session-owner-or-admin</string>
</dict>
On Wed, Dec 21, 2011 at 10:29:39AM -0500, Derrick Brashear wrote:
> given whe system.login.screensaver gets its rules from, i suspect you
> need aklog at the end of here, so an admin can still screen unlock,
> but if a user authenticates the tokens refresh. and if admin
> authenticates and no ticket is written, i wonder what happens...
> <key>authenticate</key>
> <dict>
> <key>class</key>
> <string>evaluate-mechanisms</string>
> <key>mechanisms</key>
> <array>
> <string>builtin:authenticate</string>
>
> <string>builtin:reset-password,privileged</string>
>
> <string>builtin:authenticate,privileged</string>
>
> <string>PKINITMechanism:auth,privileged</string>
> </array>
> </dict>
>
>
> On Wed, Dec 21, 2011 at 10:14 AM, Dave Botsch <[email protected]> wrote:
> > It's a question of where the screensaver looks for its config.
> >
> > On Tue, Dec 20, 2011 at 05:40:17PM -0500, Brandon Allbery wrote:
> >> On Tue, Dec 20, 2011 at 16:04, Dave Botsch <[email protected]> wrote:
> >>
> >> > Makes me wonder, though, why the kerberos ticket renewal still works
> >> > there even though that's not specifically in the screensaver.
> >>
> >>
> >> How do you check a Kerberos password? You use it to get a ticket.
> >>
> >> --
> >> brandon s allbery [email protected]
> >> wandering unix systems administrator (available) (412) 475-9364 vm/sms
> >
> > --
> > ********************************
> > David William Botsch
> > Programmer/Analyst
> > CNF Computing
> > [email protected]
> > ********************************
> > _______________________________________________
> > OpenAFS-info mailing list
> > [email protected]
> > https://lists.openafs.org/mailman/listinfo/openafs-info
>
>
>
> --
> Derrick
>
--
********************************
David William Botsch
Programmer/Analyst
CNF Computing
[email protected]
********************************
_______________________________________________
OpenAFS-info mailing list
[email protected]
https://lists.openafs.org/mailman/listinfo/openafs-info
