LinuxSupportFAQForm | |
---|---|
SupportProblem | kinit, klog, klog.krb clarification - what to use on SLC? |
SupportAnswer |
As part of the ongoing migration from Kerberos4 to Kerberos5, users are asked to no longer run the klog command, and instead use kinit . This is typically only required to get fresh credentials in a long-running session (new sessions that authenticate the user with a password should generally start with fresh credentials anyway).
Using klog is deprecated and should be avoided, unless under very specific circumstances where only an AFS token is desired (e.g. for a remote cell).
BackgroundOriginally, each of the commands has a specific functionality:
kinit (from /usr/sue/bin, which usually comes very early in the PATH) actually is a shell script that invokes (MIT) kinit and afs5log - this provides Kerberos5+4+AFS credentials in one go.
The similar but older script for klog script now gives a warning.
It has been suggested to instead have klog invoke kinit , to hide this transition from the users. We feel that the technical difference should rather be exposed, especially since kinit has interesting other options (it can for example "renew" an existing credential without asking for a password, this is not available with klog ). Besides enabling such new functionality, we also expect users to better understand the underlying details, which allows us to troubleshoot issues much quicker.
One case in which to continue using the klog command would be to get AFS tokens only (no Kerberos tickets desired) for a remote AFS cell. In this case please use /usr/bin/klog directly, and not the SUE wrapper.
|
OsVersion | all |
HardwareArchitecture | any |
ApprovedBySupport | SupportApproved |