nfsv4 sec=krb5 + xscreensaver
Douglas E. Engert
deengert at anl.gov
Tue Sep 20 16:30:50 EDT 2005
FM wrote:
> Thanks for your reply,
> The prob is that xscreensaver (with pam_krb5) authenticate me :
>
> Sep 20 15:26:11 SRV krb5kdc[17590](info): AS_REQ (2 etypes {16 1})
> 192.168.4.171(88): ISSUE: authtime 1127244371, etypes {rep=16 tkt=16
> ses=16}, USER at REALM for krbtgt/REALM at RELAM
>
> but it does not refresh or recreate a TGT.
>
Does you pam_krb5 have a "refresh_creds" option?
> So if TGT expires, and my home folder is using NFSV4 (sec=krb5) and I
> won't be able to access it.
>
>
>
>
> Douglas E. Engert wrote:
>
>>
>>
>> FM wrote:
>>
>>> Hello,
>>>
>>> We are are using MIT krb5 + LDAP on server and pam_krb5
>>> (pam_krb5-2.1.2-1) on clients
>>>
>>> I'd like to use nfsv4 sec=krb5 for my home users folers.
>>>
>>> with sec=krb5, the nfs server will check the TGT of the user, the
>>> prob is :
>>> when you unlock you computer, yout TGT is not creat of renew.
>>> So user nee to kinit again.
>>>
>>> So , I suppose, that I won't be able to use my home folder after the TGT
>>> expiration.
>>>
>>>
>>> Is there a way to renew TGT when locking computer with xscreensaver ?
>>
>>
>>
>> You mean when unlocking? Yes, if the xscreensaver calls PAM,
>> the pam_krb5 could do this using the password provided for unlocking.
>> We do this on Solaris. Your pam_krb5 may be able to reuse the same cache.
>>
>>>
>>> ________________________________________________
>>> Kerberos mailing list Kerberos at mit.edu
>>> https://mailman.mit.edu/mailman/listinfo/kerberos
>>>
>>>
>>
>
>
--
Douglas E. Engert <DEEngert at anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444
More information about the Kerberos
mailing list