[OpenAFS] Automatically Renewing Tokens?
Dave Botsch
botsch@cnf.cornell.edu
Wed, 25 May 2011 15:02:06 -0400
See inline below...
>
> We applied a crude hack to the krb5-auth-dialog coming with EL6 (which has no plugin support yet) to make it run aklog. It's ugly, but it works...
I'd be interested in seeing your hack. For RHEL6 (which I am currently
testing) and krb5-auth-dialog, I compiled the newest gnome stuff into
/usr/local/gnome via the use of jhbuild, and then compiled the newest
krb5-auth-dialog against that. A shell script wrapper then sets the
LD_LIBRARY_PATH and PATH correctly to use the newer krb5-auth-dialog
bouncing against the newer gnome libs in /usr/local/gnome . Also needed
to enable the krb5-auth-dialog afs plugin in my gconf (but that's a user
provisioning issue).
>
> On EL4/5/6, unlocking the GNOME/KDE screensavers should refresh tokens as well.
>
On EL4 (and we'll do the same thing on EL6), we bounce against Russ's
pam-krb5 in the "auth" section and we bounce against Russ's
pam-afs-session in the "auth" section as well (which has the effect of
renewing tickets and tokens when unlocking with xscreensaver):
auth required pam_nologin.so
auth [success=ok default=ignore] pam_krb5_new.so realm=GUEST.CORNELL.EDU use_first_pass minimum_uid=100
auth [success=ok default=ignore] pam_krb5_new.so realm=CIT.CORNELL.EDU use_first_pass minimum_uid=100
auth [success=ok default=ignore] pam_krb5_new.so realm=CNF.CORNELL.EDU use_first_pass minimum_uid=100
auth [success=ignore default=ignore] pam_afs_session.so
auth sufficient pam_unix.so try_first_pass
--
********************************
David William Botsch
Programmer/Analyst
CNF Computing
botsch@cnf.cornell.edu
********************************