Derek Atkins wrote: > > "Douglas E. Engert" <[EMAIL PROTECTED]> writes: > > >> > That might help. But it does not help with the gssapi delegated credentials, > >> > as the kafs is expecting s->authctxt->krb5_ctx to be the Kerberos > >> > context. Its not in the gssapi case. > >> > >> Why doesn't it help? > > > > Because when the GSSAPI is used, the delegated credential is not > > in s->authctxt->krb5_ctx SO the current kafs does not work with a > > delegated credential. But in all cases the credentials are in the cache, > > so a program like aklog called at this point can use the KRB5CCNAME. > > Then fix kafs so it uses the KRB5CCNAME instead of s->authctxt->krb5_ctx... > Or fix the GSSAPI code so it stores the delegated credentials in that > location as well.
WHAT DO YOU THINK I HAVE BEEN DOING ALL THESE YEARS TRYING TO GET YOU GUYS TO LISTEN!! I have been saying pitch kafs, put in a hook, use the fact that the KRB5CCNAME is set. I have a nice mod called get_afs_token, which I am using with OpenSSH and the MIT rlogind, rshd, telnetd and ftpd. I have been using this method for years with AFS and DFS. It sets the PAG using a syscall then fork/execs ak5log. BUT I want to get out of maintaining patches and see these types of changes end up in the source so they will end up in distributed products that work together!! > > This isn't rocket science. ;) Sometimes I think its harder :-) > > I suspect the latter change would require maybe 5 lines of code at > most to implement. > > -derek > > -- > Derek Atkins 617-623-3745 > [EMAIL PROTECTED] www.ihtfp.com > Computer and Internet Security Consultant -- Douglas E. Engert <[EMAIL PROTECTED]> Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444 _______________________________________________ OpenAFS-devel mailing list [EMAIL PROTECTED] https://lists.openafs.org/mailman/listinfo/openafs-devel
