Discussion:
[OpenAFS] openafs 1.8.x aklog -setpag not working? (Scientific Linux 6.10, Centos)
r.laatsch
2018-10-18 10:08:45 UTC
Permalink
The aklog from openafs-1.6.23 honours the flag -setpag correctly, i.e.
sets a PAG and token if a krb5 ticket is present.

If I get an aklog compiled in openafs 1.8.x, aklog -setpag neither sets
a PAG nor a token; simple

aklog (without -setpag) gives a token without a PAG (I dont want that).

Please, can someone give a help?

Best regards

Rainer Laatsch
Malato, Andy
2018-10-18 10:43:25 UTC
Permalink
The -setpag has long been deprecated and should no longer be used. You
should be using pagsh instead.
Post by r.laatsch
The aklog from openafs-1.6.23 honours the flag -setpag correctly, i.e.
sets a PAG and token if a krb5 ticket is present.
If I get an aklog compiled in openafs 1.8.x, aklog -setpag neither sets a
PAG nor a token; simple
aklog (without -setpag) gives a token without a PAG (I dont want that).
Please, can someone give a help?
Best regards
Rainer Laatsch
_______________________________________________
OpenAFS-info mailing list
https://lists.openafs.org/mailman/listinfo/openafs-info
Benjamin Kaduk
2018-10-18 15:00:58 UTC
Permalink
In particular, the kernel functionality to modify the groups/keyring
contents/etc. of the parent process has not been present for a long time.
So the kernel version is arguably more relevant than the OpenAFS version.

-Ben
Post by Malato, Andy
The -setpag has long been deprecated and should no longer be used. You
should be using pagsh instead.
Post by r.laatsch
The aklog from openafs-1.6.23 honours the flag -setpag correctly, i.e.
sets a PAG and token if a krb5 ticket is present.
If I get an aklog compiled in openafs 1.8.x, aklog -setpag neither sets a
PAG nor a token; simple
aklog (without -setpag) gives a token without a PAG (I dont want that).
Please, can someone give a help?
Best regards
Rainer Laatsch
_______________________________________________
OpenAFS-info mailing list
https://lists.openafs.org/mailman/listinfo/openafs-info
r.laatsch
2018-10-19 19:53:37 UTC
Permalink
Thanks to all for writing.


Pag and token are mostly needed at login. Could all be done under PAM.

If there is no PAM given, the user must do it in his Shell startup profile.

The use of pagsh there is tricky (but possible) , but a working aklog
-setpag

makes that easy and straightforward. (One could kinit in the profile or
scp a ticket from your home

computer to /tmp/ beforehand using key login, /tmp/ is writable then.)

The dokumentation says the -setpag flag might not work everywhere.

Under 1.8.x, thats true for my environment, alas; does the code change help

somewhere else?

So i will use my working 1.6.20+ aklog further.

To avoid a full compilation of a 1.6.20+ version just for the aklog, a
much more

simple approach is to use gssklog -setpag from D.E.Engert @anl (great!),

the source is still available at

  http://www.hep.manchester.ac.uk/u/masj/gssklog/

Best regards,

Rainer Laatsch


---------------------------------------------------------
Post by Benjamin Kaduk
In particular, the kernel functionality to modify the groups/keyring
contents/etc. of the parent process has not been present for a long time.
So the kernel version is arguably more relevant than the OpenAFS version.
-Ben
Post by Malato, Andy
The -setpag has long been deprecated and should no longer be used. You
should be using pagsh instead.
Loading...