[OpenAFS] pam_gssklog with gdm

Stephen Pearson stephen@hplb.hpl.hp.com
01 Oct 2003 17:12:00 +0100 

I'm trying to get OpenAFS to work on Linux with pam_gssklog and using 
a Windows 2003 server KDC.  I seem to be getting pretty close, but I
can't get gdm to log me in.

So far I can login via SSH or on the console using my Windows principal
password, and I see my TGT and afs token as expected.  However gdm login
always fails and complains that it can't write to
"~/.gconf-test-locking-file".  Syslog contains the following messages :

Oct  1 16:45:19 rit-scan gdm(pam_unix)[3921]: check pass; user unknown
Oct  1 16:45:19 rit-scan gdm(pam_unix)[3921]: authentication failure;
logname= uid=0 euid=0 tty=:0 ruser=gdm rhost=localhost
Oct  1 16:45:19 rit-scan gdm-binary[3921]: pam_gssklog:
pam_sm_authenticate:called
Oct  1 16:45:19 rit-scan gdm-binary[3921]: pam_krb5: authentication
succeeds for `stephen'
Oct  1 16:45:19 rit-scan gdm-binary[3921]: pam_gssklog:
pam_sm_setcred:called
Oct  1 16:45:19 rit-scan gdm(pam_unix)[3921]: session opened for user
stephen by (uid=0)
Oct  1 16:45:19 rit-scan gdm[3921]: gdm_slave_session_start: Directory
/afs/hpl.hp.com/home/stephen/.gnome2 does not exist.

Here's the auth section of my system-auth PAM config (I'm using nss
LDAP as well).  For some reason, I have to add pam_gssklog before
pam_krb5 or I don't get my AFS token.

auth        required      /lib/security/$ISA/pam_env.so
auth        sufficient    /lib/security/$ISA/pam_unix.so likeauth nullok
auth        optional      /lib/security/$ISA/pam_gssklog.so.1 debug
auth        sufficient    /lib/security/$ISA/pam_krb5.so try_first_pass
auth        sufficient    /lib/security/$ISA/pam_ldap.so use_first_pass
auth        required      /lib/security/$ISA/pam_deny.so

I have managed to make this work (including gdm) using pam_krb5afs
against an MIT kerberos KDC running a krb524 service, but Win 2003
only supports v5 tickets and gssklog seems to be the way to go.

It looks like pam_sm_setcred gets called, so maybe gdm doesn't set
the PAG correctly?

I'm using Red Hat 9, openafs-1.2.10, gssklog-0.10.

Anybody managed this before?

Thanks.
Steve.

-- 
[(hp)]   : Stephen Pearson <stephen@hp.com>
invent   : RIT Platforms, HP Labs Bristol, UK