nfsv4 sec=krb5 + xscreensaver

Douglas E. Engert deengert at anl.gov
Tue Sep 20 17:46:48 EDT 2005



FM wrote:

> I'm using pam_krb5 include with RedHat enterprise 4.
> I look inside the README in the source and there is no refresh_creds 
> option.
> 
> Which pam_krb5 are you using ?
> 

Depends on system.

On Solaris 10, xsecreensaver calls the SOlaris PAM and refresh works
without any extra parameters.

Others are a version of Frank Cusack's pam_krb5 with mods included
a refresh_creds.

And the SourceForge pam_krb5-1.3-rc7 has a refresh_creds option.




> 
> Douglas E. Engert wrote:
> 
>>
>>
>> FM wrote:
>>
>>> Thanks for your reply,
>>> The prob is that xscreensaver (with pam_krb5) authenticate me :
>>>
>>> Sep 20 15:26:11 SRV krb5kdc[17590](info): AS_REQ (2 etypes {16 1}) 
>>> 192.168.4.171(88): ISSUE: authtime 1127244371, etypes {rep=16 tkt=16 
>>> ses=16}, USER at REALM for krbtgt/REALM at RELAM
>>>
>>> but it does not refresh or recreate a TGT.
>>>
>>
>> Does you pam_krb5 have a "refresh_creds" option?
>>
>>> So if TGT expires, and my home folder is using NFSV4 (sec=krb5) and I 
>>> won't be able to access it.
>>>
>>>
>>>
>>>
>>> Douglas E. Engert wrote:
>>>
>>>>
>>>>
>>>> FM wrote:
>>>>
>>>>> Hello,
>>>>>
>>>>> We are are using MIT krb5 + LDAP on server and pam_krb5
>>>>> (pam_krb5-2.1.2-1) on clients
>>>>>
>>>>> I'd like to use nfsv4 sec=krb5 for my home users folers.
>>>>>
>>>>> with sec=krb5, the nfs server will check the TGT of the user, the 
>>>>> prob is :
>>>>> when you unlock you computer, yout TGT is not creat of renew.
>>>>> So user nee to kinit again.
>>>>>
>>>>> So , I suppose, that I won't be able to use my home folder after 
>>>>> the TGT
>>>>> expiration.
>>>>>
>>>>>
>>>>> Is there a way to renew TGT when locking computer with xscreensaver ?
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> You mean when unlocking?  Yes, if the xscreensaver calls PAM,
>>>> the pam_krb5 could do this using the password provided for unlocking.
>>>> We do this on Solaris. Your pam_krb5 may be able to reuse the same 
>>>> cache.
>>>>
>>>>>
>>>>> ________________________________________________
>>>>> Kerberos mailing list           Kerberos at mit.edu
>>>>> https://mailman.mit.edu/mailman/listinfo/kerberos
>>>>>
>>>>>
>>>>
>>>
>>>
>>
> 
> 

-- 

  Douglas E. Engert  <DEEngert at anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444


More information about the Kerberos mailing list