[OpenAFS] Problem with pam on debian with 1.3.81 kernel 2.6.11
Douglas E. Engert
deengert@anl.gov
Thu, 14 Apr 2005 11:08:12 -0500
Jim Rees wrote:
> Personally I can't get -K to work, but it might be due to my PAM
> configuration.
>
> I couldn't get GSSAPIDelegateCredentials to work until I also set
> GSSAPIAuthentication. I think you also need forwardable=true in krb5.conf.
> But the biggest problem for me is it only works for a single realm.
Only works for a single realm? The gssapi delegates the user's
credentials.
Is the problem really that the AFS cell and KRB5 realms don't
quite match up as expected? This could be related to AFS support
for foreign users.
>
> I wish we still had afs token forwarding in ssh.
Glad it is gone, but it does have one advantage over
the gssapi delegation. The token is limitd in that
it is only for the AFS cell, where as the delegated TGT
is a normally a full TGT, with no restrictions. Kerberos/gsspai
needs to address this better to be able to delegate
limited TGTs or selected service tickets.
> _______________________________________________
> OpenAFS-info mailing list
> OpenAFS-info@openafs.org
> https://lists.openafs.org/mailman/listinfo/openafs-info
>
>
>
--
Douglas E. Engert <DEEngert@anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444