Never mind. I figured it out! I got the Kerberos login to work by running: # authconfig --enablekrb5 --update Then I updated /etc/pam.d/system-auth by adding pam_afs_session.so as described in the manual. At first, that didn't work, but then I discovered that pam.d/sshd included password-auth instead of system-auth, so I fixed that.
Now, when I log in, I automatically get an AFS token. I next fixed the permissions in my home directory by adding my user to the ACL. Now I can write into my home directory! I think we're there. -- Steve On Wed, Apr 25, 2018 at 12:03 PM, Steven Schoch <scho...@gmail.com> wrote: > Thank you! I overlooked expiration time. I was expecting a ticket to be > automatically created when I authenticated through SSH, but it didn't. > I changed the file /etc/pam.d/system-auth as documented, so that the first > section now looks like this: > > auth required pam_env.so > auth sufficient pam_afs.so try_first_pass ignore_root > auth sufficient pam_unix.so nullok try_first_pass > auth requisite pam_succeed_if.so uid >= 500 quiet > auth required pam_deny.so > > The expectation is when I connect with SSH, it will use kerberos for > authentication, but it doesn't seem to be getting a ticket. How do I do > that? > > If I get a ticket manually using kinit, then aklog works. However, I still > don't have permissions to create a file: > > $ cd /afs/.example.com/home/xdemo > $ ls -ld > drwxr-xr-x. 3 xdemo root 2048 Apr 25 10:57 . > $ touch file > touch: cannot touch `file': Permission denied > > > On Wed, Apr 25, 2018 at 11:41 AM, Jeffrey Altman <jalt...@auristor.com> > wrote: > >> -1765328352 (krb5).32 = Ticket expired >> > >