Reaching out again hoping that someone might have an idea as to what my
problem is.
Thanks,
Jeffrey.
On Fri, Dec 11, 2009 at 10:43 AM, Jeffrey Watts
jeffrey.w.wa...@gmail.comwrote:
Hello, I've been working with Kerberos for the last few months getting
Linux and HP-UX servers to authenticate
Jeffrey Watts jeffrey.w.wa...@gmail.com writes:
Reaching out again hoping that someone might have an idea as to what my
problem is.
Thanks,
Jeffrey.
On Fri, Dec 11, 2009 at 10:43 AM, Jeffrey Watts
jeffrey.w.wa...@gmail.comwrote:
Hello, I've been working with Kerberos for the last few
Long ago, we evaluated the facilities within OS-provided
sshd for handling our Kerberos + OpenAFS authentication
needs. That is, things like the Kerberos* settings,
GetAFSToken or whatever it was called, etc.
We found it to be an unusable mismatched moving target.
We decided to do everything
Thanks for the response. Here's what's in my krb5.conf:
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = DOMAIN.EXAMPLE.COM
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime
Jeff Blaine jbla...@stage-infinity.com writes:
We decided to do everything via PAM, with the exception of ssh public
key auth for those who choose to use it and not get OpenAFS tokens
automatically.
It works great thanks to pam_krb5 and pam_afs_session from Russ Alberry.
Our problem now
Jeff Blaine wrote:
Long ago, we evaluated the facilities within OS-provided
sshd for handling our Kerberos + OpenAFS authentication
needs. That is, things like the Kerberos* settings,
GetAFSToken or whatever it was called, etc.
We found it to be an unusable mismatched moving target.
On 12/16/2009 5:39 PM, Douglas E. Engert wrote:
Jeff Blaine wrote:
Long ago, we evaluated the facilities within OS-provided
sshd for handling our Kerberos + OpenAFS authentication
needs. That is, things like the Kerberos* settings,
GetAFSToken or whatever it was called, etc.
We found it to
Jeffrey Watts jeffrey.w.wa...@gmail.com writes:
Their computer account entries are very similar. Here's the contents of the
krb5.keytab:
# klist -k
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
--
2
On 12/16/2009 8:33 PM, Russ Allbery wrote:
Jeff Blainejbla...@stage-infinity.com writes:
sshd[20489]: [ID 237248 auth.debug] (pam_afs_session):
pam_sm_open_session: entry (0x0)
sshd[20489]: [ID 237248 auth.debug] (pam_afs_session): skipping tokens,
no Kerberos ticket cache
Hm, are you
Jeff Blaine jbla...@stage-infinity.com writes:
Yup, they're there, just no tokens. I even tried a pam_krb5RA2.so and
pam_afs_session2.so built against the Sun kerberos instead of our local
MIT kerberos for kicks. Same result.
~:faron kdestroy
~:faron logout
Connection to faron closed.
On 12/16/2009 10:24 PM, Russ Allbery wrote:
Jeff Blainejbla...@stage-infinity.com writes:
Yup, they're there, just no tokens. I even tried a pam_krb5RA2.so and
pam_afs_session2.so built against the Sun kerberos instead of our local
MIT kerberos for kicks. Same result.
~:faron kdestroy
Jeff Blaine jbla...@stage-infinity.com writes:
On 12/16/2009 10:24 PM, Russ Allbery wrote:
Oh, right, I remember this problem now. This is why Douglas has
another PAM module that does nothing except set KRB5CCNAME in the
environment for use on Solaris. Solaris uses the default UID-based
12 matches
Mail list logo