On 8/5/2014 10:43 AM, Andrew Deason wrote:
On Tue, 05 Aug 2014 09:34:30 -0500
Douglas E Engert <deeng...@gmail.com> wrote:
On 8/4/2014 9:35 PM, Andrew Deason wrote:
Users of all other kerberized services do not need to "login" to every
service they use. If everything is configured properly to use kerberos,
I don't need to separately login to the ldap server, to ssh, to
kerberized nfs, or even to a website using spnego.I just use the
relevant service after I have acquired kerberos tickets.
Of course, most
of those are userspace programs where this is much easier, but I see no
reason for the user experience to be different for a non-userspace
application if there are no technical obstacles making it impossible.
(And imo, NFS has shown it's not impossible.)
That works if both user and server are in same realm or with cross
realm trust. An afs aklog daemon could work like (or use) the
rpc.gssd.
Yes... that's what I've been proposing. (Well, one of the approaches.)
This works well in an enterprise,or where cross realm trust between
organization is setup. But wide spreed cross realm trust has not
caught on. and it is not clear if the original question of this
thread was addressing where the user did not do a Kerberos login.
I don't see how that matters. Either the user logged in via pam_krb5 or
something, or they logged in without any krb5 integration and manually
ran 'kinit'. Either way it should be possible to work without any
AFS-aware authentication steps.
OK, they still had to have Kerberos tickets. I was looking more at
"single sign on". It would be nice if the aklog step could be handled
by a gssd.
There is still the issue of where a gssd will find the ticket cache.
As a side note, where I used to work, is a member of InCommon, uses AD
for kerberos, and the Shibboleth IDP would accept user/password,
Smartcards or Windows Auto Enroll certificates, or Kerberos credentials
for authentication. We used Box and other cloud services. AFS is used
only internally and works without the users having to use aklog
if they logged in via Kerberos to AD.
I'm assuming you mean that 'aklog' or an equivalent was run during the
login process, and it just wasn't visible to the users.That is, 'aklog'
(or equivalent) was still run; the system was just setup to do it for
them.
Correct, pam and kstart to keep it upto date.
--
Douglas E. Engert <deeng...@gmail.com>
_______________________________________________
OpenAFS-info mailing list
OpenAFS-info@openafs.org
https://lists.openafs.org/mailman/listinfo/openafs-info
