Erik Dalén <[email protected]> writes:
> /etc/pam.d/common-session
> # here are the per-package modules (the "Primary" block)
> session [default=1] pam_permit.so
> # here's the fallback if no module succeeds
> session requisite pam_deny.so
> # prime the stack with a positive return value if there isn't one already;
> # this avoids us returning an error just because nothing sets a success code
> # since the modules above will each just jump around
> session required pam_permit.so
> # and here are more per-package modules (the "Additional" block)
> session optional pam_krb5.so minimum_uid=1000
> session required pam_unix.so
> session optional pam_afs_session.so
> # end of pam-auth-update config
> And in /etc/sudoers.d I have a file that specifies:
> %wheel ALL=(ALL) NOPASSWD: ALL
> and I am a member of group 'wheel'.
Sorry about the delay in getting back to you about this. I finally got a
chance to look at this in more depth.
After doing some testing, I think the common-auth configuration is a red
herring, and the root of the problem was that pam-afs-session didn't think
that Kerberos had been used as a login method and therefore didn't run
aklog. Since your sudoers configuration file includes NOPASSWD, you
wouldn't have to do a Kerberos authentication when you sudo, which means
that pam-krb5 is not run and doesn't create KRB5CCNAME in the PAM
environment. (Although I'm a little confused how this ever worked even
when adding pam-afs-session to a different section of the auth
configuration, since it looks to me like the problem should have affected
pam-afs-session run in that fashion as well.)
The next version of pam-afs-session will fall back on KRB5CCNAME in the
general environment if it is set and KRB5CCNAME is not set in the PAM
environment. In my testing, this resolved the problem with this
configuration. The Debian bug tracking system will let you know when I
upload the new package, and testing would be very welcome. Please do let
me know if this doesn't work. Alternately, if you want to try the current
development source right away, it's available from my Git repository
linked from:
http://www.eyrie.org/~eagle/software/pam-afs-session/
--
Russ Allbery ([email protected]) <http://www.eyrie.org/~eagle/>
--
To UNSUBSCRIBE, email to [email protected]
with a subject of "unsubscribe". Trouble? Contact [email protected]
