[OpenAFS] Off-topic, anyone tried this?

Michael Lasevich openafslist@lasevich.net
Tue, 21 May 2002 14:51:16 -0700 

I actually found, downloaded, and compiled pam_openafs_session (god bless
Google!), but something is wrong with it or my setup (i am getting a bad
parameter from aklog during login). But it gives me an awesome framework to
hack from!!! Thank you.

As for krb5afs, this is the default module RH's authconfig put into PAM. It
does not work for me. There are no errors what so ever and it gets the
krbtgt/REALM@REALM  K5 ticket. It does NOT get afs/cell@REALM K5 ticket or
AFS token. If I run aklog I get those without an issue. There is nothing in
the /var/log/messages about krb55afs except for

May 21 14:44:18 afsclient sshd[22094]: pam_krb5afs: authentication succeeds
for `michael'

(afsclient is the name of the unix client machine and michael is the user
account)

I added the word "debug" after every instance of krb5afs module in the
pam.d/system-auth file, but it did not change anything.

-Michael


----- Original Message -----
From: "Derek Atkins" <warlord@MIT.EDU>
To: "Michael Lasevich" <openafslist@lasevich.net>
Cc: "OpenAFS Info List" <openafs-info@openafs.org>
Sent: Tuesday, May 21, 2002 2:10 PM
Subject: Re: [OpenAFS] Off-topic, anyone tried this?


> Actually, did you try the pam_krb5afs module?  Does that not work for
> you?  What happens if you turn on the syslog mode -- what error(s) does
> it give you?
>
> Currently, AFAIK, there is no RPM of the pam-openafs-session module.
>
> -derek
>
> Derek Atkins <warlord@MIT.EDU> writes:
>
> > The aklog executable obtains a v5 AFS ticket and converts it to a
> > token via krb524d.  It does not get you v4 tickets.
> >
> > You might want to try the pam-openafs-session PAM module (which is not
> > distributed with the OpenAFS RPMs -- perhaps I should fix that?) which
> > should give you the hook to aklog that you need.
> >
> > -derek
> >
> > "Michael Lasevich" <openafslist@lasevich.net> writes:
> >
> > > I am using RedHat 7.2 for AFS server and UNIX client (Win2k for the
windows
> > > client) with "Active Directory" on win2k domain server as my K5 server
> > > (using a patched  version of MIT's krb524d running on my AFS server to
> > > convert the tickets)
> > >
> > > I can do kinit/aklog from command line without a problem.
> > > I can get a K5 ticket at login (PAM) time, however I cannot get aklog
to run
> > > from PAM (thus cannot place the home dirs into AFS space as I want). I
tried
> > > several pam plugins, but for some reason none have worked.
> > >
> > > I suspect the problem is that the modded krb524d deamon (running on a
UNIX
> > > machine) uses afs/cell@REALM ticket instead of krbtgt/cell@REALM to do
the
> > > conversion (I know this cause some issues with the windows client)
Though I
> > > am not an expert on the subject, I am suspecting this is what the
standard
> > > krb524lib using pam modules try (but then again, why does the aklog
> > > executable work??)
> > >
> > > -Michael
> > >
> > > > "Michael Lasevich" <openafslist@lasevich.net> writes:
> > > >
> > > > > (ironically I got the Windows part to work, but cannot get PAM to
> > > execute
> > > > > kinit/aklog properly on Linux - works fine from the command line)
> > > >
> > > > What Linux distro are you using?
> > > > Are you using MIT-K5, Heimdal, or KAServer?
> > > >
> > > > -derek
> > > > --
> > > >        Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory
> > > >        Member, MIT Student Information Processing Board  (SIPB)
> > > >        URL: http://web.mit.edu/warlord/    PP-ASEL-IA     N1NWH
> > > >        warlord@MIT.EDU                        PGP key available
> > > >
> > >
> >
> > --
> >        Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory
> >        Member, MIT Student Information Processing Board  (SIPB)
> >        URL: http://web.mit.edu/warlord/    PP-ASEL-IA     N1NWH
> >        warlord@MIT.EDU                        PGP key available
> > _______________________________________________
> > OpenAFS-info mailing list
> > OpenAFS-info@openafs.org
> > https://lists.openafs.org/mailman/listinfo/openafs-info
>
> --
>        Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory
>        Member, MIT Student Information Processing Board  (SIPB)
>        URL: http://web.mit.edu/warlord/    PP-ASEL-IA     N1NWH
>        warlord@MIT.EDU                        PGP key available
> _______________________________________________
> OpenAFS-info mailing list
> OpenAFS-info@openafs.org
> https://lists.openafs.org/mailman/listinfo/openafs-info
>