Mauricio Villarroel <villarroel.mauri...@gmail.com> writes: > 3. pam_afs_session: > ---------------------------------------------
> pam_afs_session worked without problems in our end. Is there a plan to merge > it into the main openafs-client codebase? We've talked about it and mostly reached the conclusion that it was easier to keep them separate on separate release cycles. I'm curious what benefit you'd see in the merger. Mostly just having pre-build RPMs of the module, or is there something else as well? > 4. PAM and AFS tokens > --------------------------------------------- > This was kind of tricky. Our students had no problems login into the > workstations with their kerberos credentials, the problem was that they > were not getting their AFS tokens at login time, neither when they login > into their graphical environment, nor when using ssh. Actually, > pam_open_session or pam_setcred was getting correctly the tokens, but > they were destroyed before the user gets a usable BASH or KDM session. Something else was blowing away the session keyring, I suspect, and yes, I see below that was the case. This will be fixed in the next release of pam-afs-session if you have a new enough AFS client to have the system call to ask whether you already have a PAG, and as soon as I have a chance to work on it. > Part of my "/etc/krb5.conf" file contains: > [appdefaults] > pam = { > debug = false > ticket_lifetime = 36000 > renew_lifetime = 36000 > forwardable = true > krb4_convert = false > ignore_root = true > ignore_afs = true > } > pam-afs-session = { > minimum_uid = 100 > ignore_root = true > } > I had to put " ignore_afs = true", because otherwise pam_krb5 was trying > to contact the afs server with different versions of kerberos tickets, > part of my log files showed things such as: Yeah, the Red Hat pam_krb5 has various odd problems. > Reading the pam_afs_session, I realized that it has to be > pam_keyinit.. I thought the settings in system-auth should be fine, but > then in "/etc/pam.d/sshd" I found: > session optional pam_keyinit.so force revoke > session include system-auth > Why forcing?, in fact, pam_keyinit was being called twice: by sshd and > system-auth but When I commented out that line, everything worked fine, > users got their tokens at login time, the same happens in the pam files: > xdm, kdm. I am not sure about the implications in Fedora of removing > the "pam_keyinit.so force revoke", does some one know? If you're not using keyrings for anything other than AFS PAGs, you don't care. It means the user isn't getting a session keyring for other purposes, I think. -- Russ Allbery (r...@stanford.edu) <http://www.eyrie.org/~eagle/> _______________________________________________ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info