[OpenAFS] Questions, vol. 2.

J. D. Nurmi jnurmi-openafs-info@qwe.cc
Wed, 21 Jan 2004 14:46:35 -0500


On Wed, 2004-01-21 at 13:53, Todd M. Lewis wrote:
> Stephen Bosch wrote:
> 
> Putting klog in the login script is probably not a good idea unless 
> something in the login environment itself requires AFS authentication. 
> In particular, klog in the login script (or AFS authentication) should 
> not be required if home directories are not in AFS. If home dirs _are_ 
> in AFS, then you really do want to get authenticated logins to create a 
> PAG and get tokens. (I could be persuaded otherwise by a cleverly 
> constructed argument, but that's my gut reaction.)

I know on our local site, kerberos authentication is a must, so all
logged in users are ensured as having a ticket.. We end up doing
something along the lines of

/etc/bash.bashrc: [debian name, i believe]
klist -s && aklog

(klist -s returns success IFF there are valid tickets to be found)
Generally speaking we assume our users want access to AFS, as there are
only very limited anonymous accesses in, and nobody logs in without
valid kerberos tickets,  (ssh -K is configured as the default for the
main departmental machines) soooo, if they have tickets, they get
tokens, and if by some fluke they dont, then time isnt wasted attempting
to get them.

James