[OpenAFS] MIT krb5 utilities don't acquire afs tokens

Derek Atkins warlord@MIT.EDU
Fri, 07 Oct 2005 09:36:06 -0400

"ph rhole oper" <slitbit@fastmail.fm> writes:

> aklog works fine with kerberos v5 on our network, but standard
> kerberized utilities (telnetd,rshd,ftpd,etc..)
> won't acquire afs tokens after they get any tickets forwarded.Is there a
> patch for these utilities so that
> once you login you'll have afs tokens too?
> The following methods have already been tested
> 1) afs-krb5 migration kit
> This options seems to be obsolete since the latest version of this kit
> refers to kerberos 1.0.x
> Is there any newer implementation of this kit around?

The 2.0 kit is slightly better, but still needs patches.  Feel free
to grab the patches in the 1.4.0rc RPM SOURCE files (available in
the candidate download section).

> 2) krb_run_aklog = true
> This option inside the krb5.conf, refers to only kerberos v4 code.It has
> nothing to do with kerberos v5.

Generally you'll need to modify PAM on the server side of the
telnetd, ftpd, sshd, etc. so that when it obtains a ticket it
also runs aklog..


       Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory
       Member, MIT Student Information Processing Board  (SIPB)
       URL: http://web.mit.edu/warlord/    PP-ASEL-IA     N1NWH
       warlord@MIT.EDU                        PGP key available