[OpenAFS-devel] Where is the right place for this question?
Adam Thornton
adam@fsf.net
Wed, 16 Jan 2002 12:30:52 -0600
This isn't really the right forum for this, I don't think, so please
just redirect me to the appropriate list if it isn't...
The setup is this:
I'm using MIT K5 as my Kerberos implementation, with krb524d providing
translation for AFS.
How do I provide for getting tickets [Dumb Question #1 Here] for users
that cannot be prompted for passwords (for instance, mail delivery into
AFS space)? I don't especially want to have to patch all my services to
be Kerberized-AFS aware. As far as I can tell, pam_krb_5 is going to
prompt me for a password.
The obvious, but almost certainly wrong, answer I see that allows me to
avoid having to modify the services themselves is to wrapper them in
something that, say, runs an expect script that does a kinit as the
appropriate principal, reads the password from an
appropriately-protected local file, then does an aklog. But, well, ugh.
I'm sure this is something that many sites are doing, but I haven't had
much luck Googling to find out how it works.
Please point me to the right place to ask this, if this isn't it.
Adam
DQ1: I do mean "Tickets", right? Not "tokens?" Because when I do a kinit
and then an aklog, I can manipulate files in AFS space, klist
shows me my principal and an afs@REALM ticket; tokens shows me
nothing. But really what's happening is that I'm sort of faking a
token with the Kerberos ticket and k524d, right? Or am I even
more confused than usual?