[OpenAFS] Automatically Renewing Tokens?

Dave Botsch botsch@cnf.cornell.edu
Wed, 25 May 2011 15:02:06 -0400

See inline below...

> We applied a crude hack to the krb5-auth-dialog coming with EL6 (which has no plugin support yet) to make it run aklog. It's ugly, but it works...

I'd be interested in seeing your hack. For RHEL6 (which I am currently
testing) and krb5-auth-dialog, I compiled the newest gnome stuff into
/usr/local/gnome via the use of jhbuild, and then compiled the newest
krb5-auth-dialog against that. A shell script wrapper then sets the
LD_LIBRARY_PATH and PATH correctly to use the newer krb5-auth-dialog
bouncing against the newer gnome libs in /usr/local/gnome . Also needed
to enable the krb5-auth-dialog afs plugin in my gconf (but that's a user
provisioning issue).

> On EL4/5/6, unlocking the GNOME/KDE screensavers should refresh tokens as well.

On EL4 (and we'll do the same thing on EL6), we bounce against Russ's
pam-krb5 in the "auth" section and we bounce against Russ's
pam-afs-session in the "auth" section as well (which has the effect of
renewing tickets and tokens when unlocking with xscreensaver):

auth       required     pam_nologin.so
auth      [success=ok default=ignore] pam_krb5_new.so realm=GUEST.CORNELL.EDU use_first_pass minimum_uid=100
auth      [success=ok default=ignore] pam_krb5_new.so realm=CIT.CORNELL.EDU use_first_pass minimum_uid=100
auth      [success=ok default=ignore]   pam_krb5_new.so realm=CNF.CORNELL.EDU use_first_pass minimum_uid=100
auth      [success=ignore default=ignore]     pam_afs_session.so
auth       sufficient   pam_unix.so try_first_pass


David William Botsch
CNF Computing