[OpenAFS] is this what windows folks call "integrated login"?

Dale Pontius pontius@btv.ibm.com
Mon, 23 Aug 2010 11:43:15 -0400


 On 08/21/10 19:03, Adam Megacz wrote:
> I have a MacOS laptop.  My username and local password on the laptop
> happen to match my kerberos username and password.  My kerberos tickets
> expire after 10 hours, but are renewable for 10 *days*.
>
> It occurred to me that it would be nifty if my laptop acquired kerberos
> tickets for me when I logged in (during the brief window when my
> un-hashed password is present in laptop RAM), and made an attempt to
> renew them once an hour (if connected to the network).  This would save
> me having to do a separate kinit after logging in, and having to
> re-kinit every 10 hours.  I've got a screensaver lock and encrypt my
> swapfile, so I'm not too worried about physical theft issues resulting
> in ticket theft.
>
> Is there a piece of software that does this?  It's been a long, long
> time since I used Windows, but it sounds like this feature is what the
> Windows client calls "integrated login".  Or maybe not.  Either way, is
> there a way to get MacOS to do this?
Be very careful of an integrated login on a laptop.  I set up to have
(sometimes) integrated login on Linux, and it can be problematic if you
try to login while away from the network where your AFS server resides -
as in a really looooong timeout.  I don't know if this is standard
behavior for Windows or MacOS integrated logins, and for that matter I
don't know if this is even the current behavior for an integrated login
under Linux, any more.  I just know that when I first set things up
under Linux, if the server wasn't available, only root could login.

I'm not using Gnome or KDE.  I have scripts that integrate and
dis-integrate my login, based on what network I've attached to.

-- 
Dale Pontius
Senior Engineer
IBM Corporation
Phone: (802) 769-6850
Tie-Line: 446-6850
email: pontius@us.ibm.com

This e-mail and its attachments, if any, may contain confidential and privileged material for the sole use of the intended recipient. Any review, use, distribution or disclosure by others is strictly prohibited. If you are not the intended recipient (or authorized to receive for the recipient), please contact the sender by reply e-mail and delete all copies of this message from your system without copying it and notify sender of the misdirection by reply e-mail.