cron on AFS files]

Ken Hornstein
Sat, 03 Mar 2001 00:16:47 -0500

>But most of our AFS clients don't have an /etc/krb.conf.  That's why our 
>primary authentication server has the alias 'kerberos', because we don't 
>have the ability to dictate the contents of /etc/krb.conf or environment 
>variables on the users' workstations.  Yet klog manages to exercise 
>redundancy in the face of this... how?

You certainly have the ability to dictate the contents of /usr/vice/etc/
CellServDB on your AFS clients, don't you? :-)

FWIW, klog doesn't use the V4 Kerberos network protocol; it uses
RX to talk to one of the kaservers listed in your CellServDB.  I think
there's an API function that does what you want (probably something like
ka_UserAuthenticateGeneral(), but I forget now).

>>The advantage of gettoken is that it uses a srvtab and not a user
>>password.  The srvtab still needs to be stored somewhere on the local
>>machine, and is a security issue, but it's not quite as bad as
>>storing a naked plaintext password.

I don't really agree here; it's only _slightly_ better (I'm talking a
hair better), since the key is a password-equivalant.