Several people have been asking me as well as the OpenAFS list about problems with the pam_krb5 PAM module included with Red Hat Enterprise Linux 4. It has several bugs, including:
- doesn't work properly with dynroot enabled - may not work when your 'root.cell' volume is replicated across more than 1 server I finally got around to doing a proper fix for these issues. I rebuilt the pam_krb5 RPM with the following changes: 1. pam_krb5 was basically doing 'fs whichcell /afs' to determine the name of the local cell. So if you had dynroot enabled it wanted to obtain tokens in a cell named 'dynroot'. I changed it to do the equivalent of 'fs wscell' instead. 2. pam_krb5 only tries to get tokens for the local cell by default. I changed it to also try to get tokens in the cell containing the user's home directory, if different than the local cell. 3. pam_krb5 needs to know which Kerberos realm to use to obtain the AFS service ticket. It basically uses the following procedure: fs whereis /afs/cell.name look up the DNS names of the file servers for /afs/cell.name use krb5_get_host_realm() on these DNS names to get the matching Kerberos realm Aside from the question of whether or not this is the correct thing to do, pam_krb5 was only passing a buffer big enough to hold 1 IP address when looking up the servers containing /afs/cell.name. So if your root.cell volume was replicated it would break. I fixed this. 4. Not all of the debugging statements in pam_krb5 were active, even when 'debug' was specified in the pam configuration files. Some of the debugging statements that didn't work were instrumental in figuring out what was wrong with the above problems. 5. I also packaged the 'afs5log' program. This is included with the source code of pam_krb5, and basically does the same thing as 'aklog', except using Red Hat's own AFS code instead of the actual AFS libraries. It's useful for debugging purposes since it acts mostly identically to pam_krb5. You can download the updated RPMs from here: http://www-personal.engin.umich.edu/~wingc/openafs/pam_krb5/2.1.2-1.fixed/ I compiled them both for i386 and x86_64 (AMD Athlon64/Opteron/Intel EM32T). Hopefully, these should fix any problems people are having with pam_krb5 logins for users with AFS home directories. I don't know anything about Fedora or other OSes, but I'd guess you should be able to recompile this module on FC3 or similar systems at least. I will be sending the patches to Red Hat very soon so hopefully future versions of pam_krb5 will include the fixes. Thanks, Chris Wing [EMAIL PROTECTED] _______________________________________________ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info