[OpenAFS] tokens at login (pam_krb5afs module)
Christopher Allen Wing
wingc@engin.umich.edu
Mon, 25 Apr 2005 17:27:10 -0400 (EDT)
> As per the K5 migration info, I have an afs principal:
> afs@ECON.DUKE.EDU
> however, I note that the pam_krb5afs tries several other
> combinations, but not this one exactly. For example, it tries
> afs@ECON.DUKE.EDU, afs/econ.duke.edu@econ.duke.edu, and
> afs/econ.duke.edu@ECON.DUKE.EDU.
As Douglas suggests, adding the principal to your realm:
afs/econ.duke.edu@ECON.DUKE.EDU
would also likely solve your problem. pam_krb5 only tries the instanceless
principal:
afs@ECON.DUKE.EDU
when it can reverse map the IP address of the AFS server, and use that
domain name to come up with a Kerberos realm, using the [domain_realm]
section in /etc/krb5.conf.
(which is not my preferred behavior)
-Chris Wing
wingc@engin.umich.edu