[OpenAFS] tokens at login (pam_krb5afs module)
Dj Merrill
deej@thayer.dartmouth.edu
Tue, 26 Apr 2005 11:37:38 -0400
Christopher Allen Wing wrote:
> As Douglas suggests, adding the principal to your realm:
>
> afs/econ.duke.edu@ECON.DUKE.EDU
> would also likely solve your problem. pam_krb5 only tries the instanceless
> principal:
>
> afs@ECON.DUKE.EDU
>
> when it can reverse map the IP address of the AFS server, and use that
> domain name to come up with a Kerberos realm, using the [domain_realm]
> section in /etc/krb5.conf.
>
> (which is not my preferred behavior)
Hi Chris,
Will this break my existing and working RHEL 3.4 systems?
I'm trying to follow along with the Krb5 migration kit so that
I understand how all of this works. My understanding is that your
"afs" principal has to have a matching kvno as in your AFS Keyfile.
If I change the format of the name from afs@ECON.DUKE.EDU to
afs/econ.duke.edu@ECON.DUKE.EDU, I believe I would also have
to add this new key into the AFS Keyfile (extract with ktadd,
add to AFS Keyfile with asetkey). However, unless the older
version of pam_krb5 used in RHEL 3.4 also uses the updated
name format, I believe I may "break" my working 3.4 machines.
Or, am I allowed to have both entries in the AFS Keyfile and
Krb database?
As a side note, I have verified that both forward and reverse
name mapping work for my primary and secondary KDC and AFS servers.
Thanks,
-Dj
--
Dj Merrill
Sportsman 2+2 Builder #7118
"TSA: Totally Screwing Aviation"