On 2011-02-18 at 12:33, Ken Dreyer ( ktdre...@ktdreyer.com ) said:
On Fri, Feb 18, 2011 at 12:19 PM, Brandon S Allbery KF8NH
<allber...@gmail.com> wrote:
On 2/18/11 14:14 , Andy Cobaugh wrote:
Just curious why you're not just using the stock pam_krb5? At least in a
plain jane krb5 environment, pam_krb5 has worked fine for us (though I
haven't tried very recent Fedora).
There are programs which don't do PAM right; in particular, they run
pam_krb5 in root's context instead of the user's context, which worst-case
results in a UID-based (no PAG) root token and no user token. This works
fine with krb5 if they do it right, but the token is a side effect that
can't be corrected in the session module.
Right, I want PAG support and the other benefits of pam_afs_session.
RedHat's pam_krb5's AFS support is not very good. In addition to not
granting PAGs, I've seen situations where it will check if AFS is
running, and if so, it attempts to convert the user's Kerberos 5
credential to a Kerberos 4 credential. This will time out because it
cannot find the Kerberos 4 KDCs (none exist). Logins were taking a
minute or more in these cases. Setting "ignore_afs" solved the
problem.
I can log in with pam_krb5, and I get put in a keyring-based PAG. I do see
that the krb4_* options are no longer available in f14.
In any event, would definitely welcome pam_afs_session in EPEL, at least
our PAM configurations would be somewhat similar across platforms.
--andy
