nfsv4 sec=krb5 + xscreensaver
FM
dist-list at LEXUM.UMontreal.CA
Tue Sep 20 16:57:08 EDT 2005
I'm using pam_krb5 include with RedHat enterprise 4.
I look inside the README in the source and there is no refresh_creds option.
Which pam_krb5 are you using ?
Douglas E. Engert wrote:
>
>
> FM wrote:
>
>> Thanks for your reply,
>> The prob is that xscreensaver (with pam_krb5) authenticate me :
>>
>> Sep 20 15:26:11 SRV krb5kdc[17590](info): AS_REQ (2 etypes {16 1})
>> 192.168.4.171(88): ISSUE: authtime 1127244371, etypes {rep=16 tkt=16
>> ses=16}, USER at REALM for krbtgt/REALM at RELAM
>>
>> but it does not refresh or recreate a TGT.
>>
>
> Does you pam_krb5 have a "refresh_creds" option?
>
>> So if TGT expires, and my home folder is using NFSV4 (sec=krb5) and I
>> won't be able to access it.
>>
>>
>>
>>
>> Douglas E. Engert wrote:
>>
>>>
>>>
>>> FM wrote:
>>>
>>>> Hello,
>>>>
>>>> We are are using MIT krb5 + LDAP on server and pam_krb5
>>>> (pam_krb5-2.1.2-1) on clients
>>>>
>>>> I'd like to use nfsv4 sec=krb5 for my home users folers.
>>>>
>>>> with sec=krb5, the nfs server will check the TGT of the user, the
>>>> prob is :
>>>> when you unlock you computer, yout TGT is not creat of renew.
>>>> So user nee to kinit again.
>>>>
>>>> So , I suppose, that I won't be able to use my home folder after the
>>>> TGT
>>>> expiration.
>>>>
>>>>
>>>> Is there a way to renew TGT when locking computer with xscreensaver ?
>>>
>>>
>>>
>>>
>>> You mean when unlocking? Yes, if the xscreensaver calls PAM,
>>> the pam_krb5 could do this using the password provided for unlocking.
>>> We do this on Solaris. Your pam_krb5 may be able to reuse the same
>>> cache.
>>>
>>>>
>>>> ________________________________________________
>>>> Kerberos mailing list Kerberos at mit.edu
>>>> https://mailman.mit.edu/mailman/listinfo/kerberos
>>>>
>>>>
>>>
>>
>>
>
More information about the Kerberos
mailing list