[OpenAFS] Re: Authentication without aklog

Douglas E Engert deengert@gmail.com
Tue, 05 Aug 2014 11:20:55 -0500

On 8/5/2014 10:43 AM, Andrew Deason wrote:
> On Tue, 05 Aug 2014 09:34:30 -0500
> Douglas E Engert <deengert@gmail.com> wrote:
>> On 8/4/2014 9:35 PM, Andrew Deason wrote:
>>> Users of all other kerberized services do not need to "login" to every
>>> service they use. If everything is configured properly to use kerberos,
>>> I don't need to separately login to the ldap server, to ssh, to
>>> kerberized nfs, or even to a website using spnego.I just use the
>>> relevant service after I have acquired kerberos tickets.
>>> Of course, most
>>> of those are userspace programs where this is much easier, but I see no
>>> reason for the user experience to be different for a non-userspace
>>> application if there are no technical obstacles making it impossible.
>>> (And imo, NFS has shown it's not impossible.)
>> That works if both user and server are in same realm or with cross
>> realm trust. An afs aklog daemon could work like (or use) the
>> rpc.gssd.
> Yes... that's what I've been proposing. (Well, one of the approaches.)
>> This works well in an enterprise,or where cross realm trust between
>> organization is setup. But wide spreed cross realm trust has not
>> caught on.  and it is not clear if the original question of this
>> thread was addressing where the user did not do a Kerberos login.
> I don't see how that matters. Either the user logged in via pam_krb5 or
> something, or they logged in without any krb5 integration and manually
> ran 'kinit'. Either way it should be possible to work without any
> AFS-aware authentication steps.

OK, they still had to have Kerberos tickets. I was looking more at
"single sign on". It would be nice if the aklog step could be handled
by a gssd.

There is still the issue of where a gssd will find the ticket cache.

>> As a side note, where I used to work, is a member of InCommon, uses AD
>> for kerberos, and the Shibboleth IDP would accept user/password,
>> Smartcards or Windows Auto Enroll certificates, or Kerberos credentials
>> for authentication. We used Box and other cloud services. AFS is used
>> only internally and works without the users having to use aklog
>> if they logged in via Kerberos to AD.
> I'm assuming you mean that 'aklog' or an equivalent was run during the
> login process, and it just wasn't visible to the users.That is, 'aklog'
> (or equivalent) was still run; the system was just setup to do it for
> them.

Correct, pam and kstart to keep it upto date.



  Douglas E. Engert  <DEEngert@gmail.com>