[OpenAFS] integrated logon for Solaris and AFS

J S vervoom@hotmail.com
Tue, 27 Apr 2004 13:16:14 +0000 

>>>> >You should use PAM instead of modifying /bin/login!
>>>>
>>>>FWIW, we use here a modified version of the Kerberos 5 login program on
>>>>our systems (including Solaris).  I got tired of fighting with the 
>>>>various
>>>>different PAM APIs across systems, and it didn't cover all of them.  I
>>>>can only say "it works for us", and I seem to spend less time changing
>>>>login.krb5 & the few other things that take a Kerberos password than I
>>>>would if I was messing around with PAM modules ... so I'm happy with 
>>>>that
>>>>decision.
>>>>
>>>>--Ken
>>>
>>>
>>>Thanks Ken. I'll look into that option.
>>>
>>>The main thing is that I don't screw up the other users. I only want to 
>>>set this up for one user
>>>
>>
>>I'm having some difficulty with this single sign on- Would be grateful if 
>>anyone could help me out!
>>I've built kerberos5 but having problems setting that up. I can't replace 
>>/bin/login because I only want to set up this up for one user.
>>Does anyone know what version the kerberos is on the IBM's AFS transarc 
>>build?
>>Will the kerberos 5 client be compatible with that?
>>Also I'm not sure if I've configured krb5.conf correctly either. When I 
>>run kinit I get this reply back:
>># ./kinit
>>kinit(v5): Initial Ticket response appears to be Version 4 error while 
>>getting initial credentials
>>Lastly is there an easier way of doing this?!!!
>>
>
>
>Acually, a 'klist" should show you if you got a Kerberos 4 ticket.
>
>Horst
>

I did that and it listed 2 tokens:

# ./klist -5
klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_0)

# ./klist -4
Kerberos 4 ticket cache: /tmp/tkt0
Principal: atserver.smpd9@TOPEND.ABC.COM

  Issued              Expires             Principal
04/27/04 07:03:41  04/27/04 15:03:41  krbtgt.TOPEND.ABC.COM@TOPEND.ABC.COM
04/27/04 11:37:17  04/27/04 15:07:17  rcmd.smpd9@TOPEND.ABC.COM

# cat /etc/krb.conf
TOPEND.ABC.COM
TOPEND.ABC.COM smpd9 admin server

However I didn't set up the /etc/krb.conf above, that was already on the 
box, so it looks like someone is already using kerberos for something else.
My AFS kerberos server is on a different host. I'm not really sure what 
TOPEND.ABC.COM is either? Is that the same as the AFS cell ? Can I add an 
entry to krb.conf to get it to work with the AFS kerberos?

JS.

_________________________________________________________________
Express yourself with cool new emoticons http://www.msn.co.uk/specials/myemo