[OpenAFS-port-darwin] os x: destroying kerb tickets also destroys tokens

Alexei Kosut akosut@cs.stanford.edu
Mon, 27 Jan 2003 15:28:17 -0600


On Monday, January 27, 2003, at 03:20  PM, David Botsch wrote:
> Using OS X.2.2, MIT Kerberos 4.5.1, and the aklog kerberos plugin.
>
> If I bring up the kerberos control panel and destroy the kerberos v4 
> tickets, the afs tokens are also being destroyed. For obvious reasons, 
> this is not good.

Assuming the aklog Kerberos plugin you're using is mine, that's the 
expected behavior.  If you don't want it, open up kfm_aklog.c and 
remove the unlog() call from KerberosLoginNotification_Logout().

Personally, I think it's the right behavior, at least most of the time 
(here at Stanford, it's the default, but we have an option in our GUI 
to turn it off).  When AFS tokens are obtained automatically as a side 
effect of clicking "Get Tickets...", a user who isn't aware of this 
certainly won't know that they need to do something else besides 
clicking "Destroy Tickets" to safely leave the computer.

-- 
Alexei Kosut <akosut@cs.stanford.edu> <http://cs.stanford.edu/~akosut/>