[OpenAFS] tokens at login (pam_krb5afs module)

Dj Merrill deej@thayer.dartmouth.edu
Tue, 26 Apr 2005 11:37:38 -0400


Christopher Allen Wing wrote:

> As Douglas suggests, adding the principal to your realm:
> 
> 	afs/econ.duke.edu@ECON.DUKE.EDU

> would also likely solve your problem. pam_krb5 only tries the instanceless
> principal:
> 
> 	afs@ECON.DUKE.EDU
> 
> when it can reverse map the IP address of the AFS server, and use that
> domain name to come up with a Kerberos realm, using the [domain_realm]
> section in /etc/krb5.conf.
> 
> (which is not my preferred behavior)


Hi Chris,
	Will this break my existing and working RHEL 3.4 systems?

	I'm trying to follow along with the Krb5 migration kit so that
I understand how all of this works.  My understanding is that your
"afs" principal has to have a matching kvno as in your AFS Keyfile.
If I change the format of the name from afs@ECON.DUKE.EDU to
afs/econ.duke.edu@ECON.DUKE.EDU, I believe I would also have
to add this new key into the AFS Keyfile (extract with ktadd,
add to AFS Keyfile with asetkey).  However, unless the older
version of pam_krb5 used in RHEL 3.4 also uses the updated
name format, I believe I may "break" my working 3.4 machines.
Or, am I allowed to have both entries in the AFS Keyfile and
Krb database?

	As a side note, I have verified that both forward and reverse
name mapping work for my primary and secondary KDC and AFS servers.

Thanks,

-Dj

-- 
Dj Merrill
Sportsman 2+2 Builder #7118

"TSA: Totally Screwing Aviation"