[OpenAFS] home on afs woes

Wed, 04 Jan 2006 03:32:38 -0800 

Hi!

We have a nicely working Heimdal + LDAP database (the OS is Debian/GNU
Linux), providing user authentication and authorization. Now, we would
like to move from somewhat unreliable NFS to something more robust - and
especially something more firewall friendly - and are considering OpenAFS.
There are some concerns, though.

When I configure the user home directory to reside on the afs, ssh logins
no longer work. This is due to the pam_krb5.so module trying to check the
.k5login in the user's home directory. This fails because root running
sshd does not have valid afs tokens. I rewrote the sshd startup script to
obtain both the Heimdal TGT and the corresponding afs token. Now it can
access the .k5login (which does not exist, by the way - pma_krb5.so seems
to fail trying to stat() the file, not because it does not contain the
proper principal). This introduced another problem: if the user logs in,
the user gets the token root obtained for sshd! I just wonder, why is
this? This might be relatively easy to hack around except that if the user
ever unlogs, the process running sshd loses access to afs as well.

What is The Way to have all three (afs, heimdal and sshd) work together?

The versions I use are OpenSSH 4.2, Heimdal 0.7.1, OpenAFS 1.3.81 and a
CVS build of pam_krb5.so (from 31.12.2005). PAM is configured as follows:

auth sufficient pam_krb5.so external forwardable use_shmem debug
auth required pam_unix.so try_first_pass

account sufficient pam_krb5.so external forwardable use_shmem debug
account required pam_unix.so

session sufficient pam_krb5.so external forwardable use_shmem debug
session required pam_unix.so

Thanks for any help and/or pointers!

-Juha

P.S. Moderator: sorry for bothering you earlier with the same message
mistakenly sent from a non-list address!

-- 
                 -----------------------------------------------
                | Juha Jäykkä, [EMAIL PROTECTED]                        |
                | Laboratory of Theoretical Physics             |
                | Department of Physics, University of Turku    |
                | home: http://www.utu.fi/~juolja/              |
                 -----------------------------------------------

Attachment: pgpOw9gYCMI6F.pgp
Description: PGP signature

Reply via email to