nfsv4 sec=krb5 + xscreensaver

classic Classic list List threaded Threaded
9 messages Options
Reply | Threaded
Open this post in threaded view
|

nfsv4 sec=krb5 + xscreensaver

FM-4
Hello,

We are are using MIT krb5 + LDAP on server and pam_krb5
(pam_krb5-2.1.2-1) on clients

I'd like to use nfsv4 sec=krb5 for my home users folers.

with sec=krb5, the nfs server will check the TGT of the user, the prob is :
when you unlock you computer, yout TGT is not creat of renew.
So user nee to kinit again.

So , I suppose, that I won't be able to use my home folder after the TGT
expiration.


Is there a way to renew TGT when locking computer with xscreensaver ?

________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|

Re: nfsv4 sec=krb5 + xscreensaver

Douglas E. Engert


FM wrote:

> Hello,
>
> We are are using MIT krb5 + LDAP on server and pam_krb5
> (pam_krb5-2.1.2-1) on clients
>
> I'd like to use nfsv4 sec=krb5 for my home users folers.
>
> with sec=krb5, the nfs server will check the TGT of the user, the prob is :
> when you unlock you computer, yout TGT is not creat of renew.
> So user nee to kinit again.
>
> So , I suppose, that I won't be able to use my home folder after the TGT
> expiration.
>
>
> Is there a way to renew TGT when locking computer with xscreensaver ?

You mean when unlocking?  Yes, if the xscreensaver calls PAM,
the pam_krb5 could do this using the password provided for unlocking.
We do this on Solaris. Your pam_krb5 may be able to reuse the same cache.

>
> ________________________________________________
> Kerberos mailing list           [hidden email]
> https://mailman.mit.edu/mailman/listinfo/kerberos
>
>

--

  Douglas E. Engert  <[hidden email]>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444
________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|

Re: nfsv4 sec=krb5 + xscreensaver

FM-4
Thanks for your reply,
The prob is that xscreensaver (with pam_krb5) authenticate me :

Sep 20 15:26:11 SRV krb5kdc[17590](info): AS_REQ (2 etypes {16 1})
192.168.4.171(88): ISSUE: authtime 1127244371, etypes {rep=16 tkt=16
ses=16}, USER@REALM for krbtgt/REALM@RELAM

but it does not refresh or recreate a TGT.

So if TGT expires, and my home folder is using NFSV4 (sec=krb5) and I
won't be able to access it.




Douglas E. Engert wrote:

>
>
> FM wrote:
>
>> Hello,
>>
>> We are are using MIT krb5 + LDAP on server and pam_krb5
>> (pam_krb5-2.1.2-1) on clients
>>
>> I'd like to use nfsv4 sec=krb5 for my home users folers.
>>
>> with sec=krb5, the nfs server will check the TGT of the user, the prob
>> is :
>> when you unlock you computer, yout TGT is not creat of renew.
>> So user nee to kinit again.
>>
>> So , I suppose, that I won't be able to use my home folder after the TGT
>> expiration.
>>
>>
>> Is there a way to renew TGT when locking computer with xscreensaver ?
>
>
> You mean when unlocking?  Yes, if the xscreensaver calls PAM,
> the pam_krb5 could do this using the password provided for unlocking.
> We do this on Solaris. Your pam_krb5 may be able to reuse the same cache.
>
>>
>> ________________________________________________
>> Kerberos mailing list           [hidden email]
>> https://mailman.mit.edu/mailman/listinfo/kerberos
>>
>>
>
________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|

Re: nfsv4 sec=krb5 + xscreensaver

Douglas E. Engert


FM wrote:

> Thanks for your reply,
> The prob is that xscreensaver (with pam_krb5) authenticate me :
>
> Sep 20 15:26:11 SRV krb5kdc[17590](info): AS_REQ (2 etypes {16 1})
> 192.168.4.171(88): ISSUE: authtime 1127244371, etypes {rep=16 tkt=16
> ses=16}, USER@REALM for krbtgt/REALM@RELAM
>
> but it does not refresh or recreate a TGT.
>

Does you pam_krb5 have a "refresh_creds" option?

> So if TGT expires, and my home folder is using NFSV4 (sec=krb5) and I
> won't be able to access it.
>
>
>
>
> Douglas E. Engert wrote:
>
>>
>>
>> FM wrote:
>>
>>> Hello,
>>>
>>> We are are using MIT krb5 + LDAP on server and pam_krb5
>>> (pam_krb5-2.1.2-1) on clients
>>>
>>> I'd like to use nfsv4 sec=krb5 for my home users folers.
>>>
>>> with sec=krb5, the nfs server will check the TGT of the user, the
>>> prob is :
>>> when you unlock you computer, yout TGT is not creat of renew.
>>> So user nee to kinit again.
>>>
>>> So , I suppose, that I won't be able to use my home folder after the TGT
>>> expiration.
>>>
>>>
>>> Is there a way to renew TGT when locking computer with xscreensaver ?
>>
>>
>>
>> You mean when unlocking?  Yes, if the xscreensaver calls PAM,
>> the pam_krb5 could do this using the password provided for unlocking.
>> We do this on Solaris. Your pam_krb5 may be able to reuse the same cache.
>>
>>>
>>> ________________________________________________
>>> Kerberos mailing list           [hidden email]
>>> https://mailman.mit.edu/mailman/listinfo/kerberos
>>>
>>>
>>
>
>

--

  Douglas E. Engert  <[hidden email]>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444
________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|

Re: nfsv4 sec=krb5 + xscreensaver

FM-4
I'm using pam_krb5 include with RedHat enterprise 4.
I look inside the README in the source and there is no refresh_creds option.

Which pam_krb5 are you using ?


Douglas E. Engert wrote:

>
>
> FM wrote:
>
>> Thanks for your reply,
>> The prob is that xscreensaver (with pam_krb5) authenticate me :
>>
>> Sep 20 15:26:11 SRV krb5kdc[17590](info): AS_REQ (2 etypes {16 1})
>> 192.168.4.171(88): ISSUE: authtime 1127244371, etypes {rep=16 tkt=16
>> ses=16}, USER@REALM for krbtgt/REALM@RELAM
>>
>> but it does not refresh or recreate a TGT.
>>
>
> Does you pam_krb5 have a "refresh_creds" option?
>
>> So if TGT expires, and my home folder is using NFSV4 (sec=krb5) and I
>> won't be able to access it.
>>
>>
>>
>>
>> Douglas E. Engert wrote:
>>
>>>
>>>
>>> FM wrote:
>>>
>>>> Hello,
>>>>
>>>> We are are using MIT krb5 + LDAP on server and pam_krb5
>>>> (pam_krb5-2.1.2-1) on clients
>>>>
>>>> I'd like to use nfsv4 sec=krb5 for my home users folers.
>>>>
>>>> with sec=krb5, the nfs server will check the TGT of the user, the
>>>> prob is :
>>>> when you unlock you computer, yout TGT is not creat of renew.
>>>> So user nee to kinit again.
>>>>
>>>> So , I suppose, that I won't be able to use my home folder after the
>>>> TGT
>>>> expiration.
>>>>
>>>>
>>>> Is there a way to renew TGT when locking computer with xscreensaver ?
>>>
>>>
>>>
>>>
>>> You mean when unlocking?  Yes, if the xscreensaver calls PAM,
>>> the pam_krb5 could do this using the password provided for unlocking.
>>> We do this on Solaris. Your pam_krb5 may be able to reuse the same
>>> cache.
>>>
>>>>
>>>> ________________________________________________
>>>> Kerberos mailing list           [hidden email]
>>>> https://mailman.mit.edu/mailman/listinfo/kerberos
>>>>
>>>>
>>>
>>
>>
>
________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|

Re: nfsv4 sec=krb5 + xscreensaver

Douglas E. Engert


FM wrote:

> I'm using pam_krb5 include with RedHat enterprise 4.
> I look inside the README in the source and there is no refresh_creds
> option.
>
> Which pam_krb5 are you using ?
>

Depends on system.

On Solaris 10, xsecreensaver calls the SOlaris PAM and refresh works
without any extra parameters.

Others are a version of Frank Cusack's pam_krb5 with mods included
a refresh_creds.

And the SourceForge pam_krb5-1.3-rc7 has a refresh_creds option.




>
> Douglas E. Engert wrote:
>
>>
>>
>> FM wrote:
>>
>>> Thanks for your reply,
>>> The prob is that xscreensaver (with pam_krb5) authenticate me :
>>>
>>> Sep 20 15:26:11 SRV krb5kdc[17590](info): AS_REQ (2 etypes {16 1})
>>> 192.168.4.171(88): ISSUE: authtime 1127244371, etypes {rep=16 tkt=16
>>> ses=16}, USER@REALM for krbtgt/REALM@RELAM
>>>
>>> but it does not refresh or recreate a TGT.
>>>
>>
>> Does you pam_krb5 have a "refresh_creds" option?
>>
>>> So if TGT expires, and my home folder is using NFSV4 (sec=krb5) and I
>>> won't be able to access it.
>>>
>>>
>>>
>>>
>>> Douglas E. Engert wrote:
>>>
>>>>
>>>>
>>>> FM wrote:
>>>>
>>>>> Hello,
>>>>>
>>>>> We are are using MIT krb5 + LDAP on server and pam_krb5
>>>>> (pam_krb5-2.1.2-1) on clients
>>>>>
>>>>> I'd like to use nfsv4 sec=krb5 for my home users folers.
>>>>>
>>>>> with sec=krb5, the nfs server will check the TGT of the user, the
>>>>> prob is :
>>>>> when you unlock you computer, yout TGT is not creat of renew.
>>>>> So user nee to kinit again.
>>>>>
>>>>> So , I suppose, that I won't be able to use my home folder after
>>>>> the TGT
>>>>> expiration.
>>>>>
>>>>>
>>>>> Is there a way to renew TGT when locking computer with xscreensaver ?
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> You mean when unlocking?  Yes, if the xscreensaver calls PAM,
>>>> the pam_krb5 could do this using the password provided for unlocking.
>>>> We do this on Solaris. Your pam_krb5 may be able to reuse the same
>>>> cache.
>>>>
>>>>>
>>>>> ________________________________________________
>>>>> Kerberos mailing list           [hidden email]
>>>>> https://mailman.mit.edu/mailman/listinfo/kerberos
>>>>>
>>>>>
>>>>
>>>
>>>
>>
>
>

--

  Douglas E. Engert  <[hidden email]>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444
________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|

Re: nfsv4 sec=krb5 + xscreensaver

Michael Calmer
In reply to this post by FM-4
Hi,

from pam_krb5 NEWS file:

- 2.2: * refreshing of preexisting credentials works, so unlocking your
         screensaver should fetch new credentials and tokens.  Be careful that
         you don't invoke the authentication function with the "tokens" flag,
         which creates a new PAG, if you want this to be useful.

So you need version 2.2.X of pam_krb5.

Am Dienstag, 20. September 2005 22:57 schrieb FM:

> I'm using pam_krb5 include with RedHat enterprise 4.
> I look inside the README in the source and there is no refresh_creds
> option.
>
> Which pam_krb5 are you using ?
>
> Douglas E. Engert wrote:
> > FM wrote:
> >> Thanks for your reply,
> >> The prob is that xscreensaver (with pam_krb5) authenticate me :
> >>
> >> Sep 20 15:26:11 SRV krb5kdc[17590](info): AS_REQ (2 etypes {16 1})
> >> 192.168.4.171(88): ISSUE: authtime 1127244371, etypes {rep=16 tkt=16
> >> ses=16}, USER@REALM for krbtgt/REALM@RELAM
> >>
> >> but it does not refresh or recreate a TGT.
> >
> > Does you pam_krb5 have a "refresh_creds" option?
> >
> >> So if TGT expires, and my home folder is using NFSV4 (sec=krb5) and I
> >> won't be able to access it.
> >>
> >> Douglas E. Engert wrote:
> >>> FM wrote:
> >>>> Hello,
> >>>>
> >>>> We are are using MIT krb5 + LDAP on server and pam_krb5
> >>>> (pam_krb5-2.1.2-1) on clients
> >>>>
> >>>> I'd like to use nfsv4 sec=krb5 for my home users folers.
> >>>>
> >>>> with sec=krb5, the nfs server will check the TGT of the user, the
> >>>> prob is :
> >>>> when you unlock you computer, yout TGT is not creat of renew.
> >>>> So user nee to kinit again.
> >>>>
> >>>> So , I suppose, that I won't be able to use my home folder after the
> >>>> TGT
> >>>> expiration.
> >>>>
> >>>>
> >>>> Is there a way to renew TGT when locking computer with xscreensaver ?
> >>>
> >>> You mean when unlocking?  Yes, if the xscreensaver calls PAM,
> >>> the pam_krb5 could do this using the password provided for unlocking.
> >>> We do this on Solaris. Your pam_krb5 may be able to reuse the same
> >>> cache.
> >>>
> >>>> ________________________________________________
> >>>> Kerberos mailing list           [hidden email]
> >>>> https://mailman.mit.edu/mailman/listinfo/kerberos
>
> ________________________________________________
> Kerberos mailing list           [hidden email]
> https://mailman.mit.edu/mailman/listinfo/kerberos

--
MFG

        Michael Calmer

--------------------------------------------------------------------------
Michael Calmer
SUSE LINUX Products GmbH, Maxfeldstr. 5, D-90409 Nuernberg
T: +49 (0) 911 74053 0
F: +49 (0) 911 74053575  - [hidden email]
--------------------------------------------------------------------------
________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|

Re: nfsv4 sec=krb5 + xscreensaver

Thomas A. La Porte
In reply to this post by FM-4
We have an IssueTracker issue open with RedHat to roll in the
refresh_creds option changes from the sourceforge pam_krb5 into
the stock RedHat RPM.

We're hoping to see something in RHEL3 and RHEL4.

  -- Tom

Thomas A. La Porte, DreamWorks SKG
<mailto:[hidden email]>

On Tue, 20 Sep 2005, FM wrote:

> I'm using pam_krb5 include with RedHat enterprise 4.
> I look inside the README in the source and there is no refresh_creds option.
>
> Which pam_krb5 are you using ?
>
>
________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|

Re: nfsv4 sec=krb5 + xscreensaver (FIXED)

FM-4
Thanks to all,

I went to redhat pam_krb5 web page, downloaded the pam_krb5-2.2,
created  a RPM and installed it.

Now, when I'm back from xscrennsaver, my TGT is renewed !

If Redhat add the feature to the stock kernel, I'll reinstall the
official module

Thomas A. La Porte wrote:

> We have an IssueTracker issue open with RedHat to roll in the
> refresh_creds option changes from the sourceforge pam_krb5 into the
> stock RedHat RPM.
>
> We're hoping to see something in RHEL3 and RHEL4.
>
>  -- Tom
>
> Thomas A. La Porte, DreamWorks SKG
> <mailto:[hidden email]>
>
> On Tue, 20 Sep 2005, FM wrote:
>
>> I'm using pam_krb5 include with RedHat enterprise 4.
>> I look inside the README in the source and there is no refresh_creds
>> option.
>>
>> Which pam_krb5 are you using ?
>>
>>
> ________________________________________________
> Kerberos mailing list           [hidden email]
> https://mailman.mit.edu/mailman/listinfo/kerberos

________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos