cron on AFS files]

Peter Scott
Sat, 03 Mar 2001 08:56:35 -0800

At 12:16 AM 3/3/01 -0500, Ken Hornstein wrote:
> >But most of our AFS clients don't have an /etc/krb.conf.  That's why our
> >primary authentication server has the alias 'kerberos', because we don't
> >have the ability to dictate the contents of /etc/krb.conf or environment
> >variables on the users' workstations.  Yet klog manages to exercise
> >redundancy in the face of this... how?
>You certainly have the ability to dictate the contents of /usr/vice/etc/
>CellServDB on your AFS clients, don't you? :-)

That'd be pushing it :-)

I suppose if we'd thought of it when we started deploying clients five 
years ago we could have done it, at the expense of having to work with 
people who actually did have and wanted to use a krb.conf for their own 
purposes.  Too late now to make it work reliably, and it has to be reliable.

>FWIW, klog doesn't use the V4 Kerberos network protocol; it uses
>RX to talk to one of the kaservers listed in your CellServDB.  I think
>there's an API function that does what you want (probably something like
>ka_UserAuthenticateGeneral(), but I forget now).

I'm aware of this routine, we even use it, but the documentation is 
thoroughly inadequate to understanding it (all I have is 
/afs/, anyway).  Does that 
do failover?  But in any case, it takes a password, and for improving 
gettoken, I need something that takes a key.

> >>The advantage of gettoken is that it uses a srvtab and not a user
> >>password.  The srvtab still needs to be stored somewhere on the local
> >>machine, and is a security issue, but it's not quite as bad as
> >>storing a naked plaintext password.
>I don't really agree here; it's only _slightly_ better (I'm talking a
>hair better), since the key is a password-equivalant.

Sure, but do you have a better idea?

Peter Scott