[OpenAFS] Re: [OpenAFS-port-darwin] os x: destroying kerb tickets also destroys tokens

David Botsch dwb7@ccmr.cornell.edu
Mon, 27 Jan 2003 16:34:59 -0500 

I think it is (was there more than one out there -- too long ago to 
recall)?

Well, here's the thing:
when a user logs out, yes, tokens should be destroyed.

However, here at Cornell, we have the need for a user to have to change 
kerberos realms (we run our own, and the rest of the university runs 
theirs). So, for example, if a user wanted to then check the regular 
Cornell email, they would have to destroy their MSC kerberos tickets 
and get a CIT kerberos ticket. But, because home directories are stored 
in afs, they still need to retain their token.

Maybe there is some way to differentiate these two cases... I do not 
know.

On 2003.01.27 16:28 Alexei Kosut wrote:
> On Monday, January 27, 2003, at 03:20  PM, David Botsch wrote:
>> Using OS X.2.2, MIT Kerberos 4.5.1, and the aklog kerberos plugin.
>> 
>> If I bring up the kerberos control panel and destroy the kerberos v4 
>> tickets, the afs tokens are also being destroyed. For obvious 
>> reasons, this is not good.
> 
> Assuming the aklog Kerberos plugin you're using is mine, that's the 
> expected behavior.  If you don't want it, open up kfm_aklog.c and 
> remove the unlog() call from KerberosLoginNotification_Logout().
> 
> Personally, I think it's the right behavior, at least most of the 
> time (here at Stanford, it's the default, but we have an option in 
> our GUI to turn it off).  When AFS tokens are obtained automatically 
> as a side effect of clicking "Get Tickets...", a user who isn't aware 
> of this certainly won't know that they need to do something else 
> besides clicking "Destroy Tickets" to safely leave the computer.
> 
>-- 
> Alexei Kosut <akosut@cs.stanford.edu> 
> <http://cs.stanford.edu/~akosut/>
> 
> _______________________________________________
> OpenAFS-info mailing list
> OpenAFS-info@openafs.org
> https://lists.openafs.org/mailman/listinfo/openafs-info

-- 
********************************
David William Botsch
Consultant/Advisor II
CCMR Computing Facility
dwb7@ccmr.cornell.edu
********************************