nfsv4 sec=krb5 + xscreensaver

Michael Calmer mc at suse.de
Wed Sep 21 04:54:05 EDT 2005


Hi,

from pam_krb5 NEWS file:

- 2.2: * refreshing of preexisting credentials works, so unlocking your
         screensaver should fetch new credentials and tokens.  Be careful that
         you don't invoke the authentication function with the "tokens" flag,
         which creates a new PAG, if you want this to be useful.

So you need version 2.2.X of pam_krb5.

Am Dienstag, 20. September 2005 22:57 schrieb FM:
> I'm using pam_krb5 include with RedHat enterprise 4.
> I look inside the README in the source and there is no refresh_creds
> option.
>
> Which pam_krb5 are you using ?
>
> Douglas E. Engert wrote:
> > FM wrote:
> >> Thanks for your reply,
> >> The prob is that xscreensaver (with pam_krb5) authenticate me :
> >>
> >> Sep 20 15:26:11 SRV krb5kdc[17590](info): AS_REQ (2 etypes {16 1})
> >> 192.168.4.171(88): ISSUE: authtime 1127244371, etypes {rep=16 tkt=16
> >> ses=16}, USER at REALM for krbtgt/REALM at RELAM
> >>
> >> but it does not refresh or recreate a TGT.
> >
> > Does you pam_krb5 have a "refresh_creds" option?
> >
> >> So if TGT expires, and my home folder is using NFSV4 (sec=krb5) and I
> >> won't be able to access it.
> >>
> >> Douglas E. Engert wrote:
> >>> FM wrote:
> >>>> Hello,
> >>>>
> >>>> We are are using MIT krb5 + LDAP on server and pam_krb5
> >>>> (pam_krb5-2.1.2-1) on clients
> >>>>
> >>>> I'd like to use nfsv4 sec=krb5 for my home users folers.
> >>>>
> >>>> with sec=krb5, the nfs server will check the TGT of the user, the
> >>>> prob is :
> >>>> when you unlock you computer, yout TGT is not creat of renew.
> >>>> So user nee to kinit again.
> >>>>
> >>>> So , I suppose, that I won't be able to use my home folder after the
> >>>> TGT
> >>>> expiration.
> >>>>
> >>>>
> >>>> Is there a way to renew TGT when locking computer with xscreensaver ?
> >>>
> >>> You mean when unlocking?  Yes, if the xscreensaver calls PAM,
> >>> the pam_krb5 could do this using the password provided for unlocking.
> >>> We do this on Solaris. Your pam_krb5 may be able to reuse the same
> >>> cache.
> >>>
> >>>> ________________________________________________
> >>>> Kerberos mailing list           Kerberos at mit.edu
> >>>> https://mailman.mit.edu/mailman/listinfo/kerberos
>
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos

-- 
MFG

	Michael Calmer

--------------------------------------------------------------------------
Michael Calmer
SUSE LINUX Products GmbH, Maxfeldstr. 5, D-90409 Nuernberg
T: +49 (0) 911 74053 0
F: +49 (0) 911 74053575  - Michael.Calmer at suse.com
--------------------------------------------------------------------------


More information about the Kerberos mailing list