[OpenAFS] tokens at login (pam_krb5afs module)
Christopher Allen Wing
wingc@engin.umich.edu
Tue, 26 Apr 2005 15:25:02 -0400 (EDT)
> One interesting note is that "klist" under
> 3.4 gives an entry for "afs.econ.duke.edu@ECON.DUKE.EDU"
> whereas for 4 it does not. However, it seems to work - I can
> access files in AFS, etc.
pam_krb5 in RHEL4 no longer uses the Kerberos ticket file directly to
obtain AFS tokens; this is why it does not show up in klist.
(It obtains the necessary Kerberos ticket and stores it in memory only)
The reason why using the new principal (afs/econ.duke.edu@ECON.DUKE.EDU)
works and the old one (afs@ECON.DUKE.EDU) doesn't is a bug in pam_krb5.
pam_krb5 only uses the instance-less principal when it can figure out the
realm name properly.
Due to a bug, it can't figure out the realm name properly if you have more
than 1 AFS server that serves /afs/econ.duke.edu.
So I'm guessing that the underlying problem was that you had 2 AFS
servers. I have a fixed version of pam_krb5 that will work properly in
this case. At some point I will get the patches to Red Hat.
-Chris
wingc@engin.umich.edu