[OpenAFS] Re: openSuSE 10.1 krb5 through windows kdc, openafs 1.4.x, PAM

Russ Allbery rra@stanford.edu
Thu, 12 Apr 2007 15:12:49 -0700

Simon Wilkinson <sxw@inf.ed.ac.uk> writes:

> The best way I am aware of is to get your Kerberos 5 credentials using a
> 'normal' pam_krb5, running in the auth section of the stack. Then, use a
> PAM AFS session module to use these to get AFS credentials at session
> establishment (in the 'session' part of the PAM stack). There are two
> such modules of which I am currently aware:

> * Doug Engert's pam_afs2
> (ftp://achilles.ctd.anl.gov/pub/DEE/pam_afs2-0.1.tar and
> ftp://achilles.ctd.anl.gov/pub/DEE/gafstoken-0.2.tar)
> *  Russ Allbery's pam_openafs_session
> (http://www.eyrie.org/~eagle/software/pam-afs-session/)

> We're currently using pam_afs2 here - I think it's likely we'll
> investigate moving to pam_openafs_session for our next major release.

Very minor correction: my module is pam-afs-session.  pam_openafs_session
was another module written by Sam Hartman and mostly used in Debian, which
is being superseded with pam-afs-session for the Debian lenny release.

Russ Allbery (rra@stanford.edu)             <http://www.eyrie.org/~eagle/>