[OpenAFS] Re: openSuSE 10.1 krb5 through windows kdc, openafs 1.4.x, PAM

David Bear David.Bear@asu.edu
Thu, 12 Apr 2007 16:28:44 -0700

On Thu, Apr 12, 2007 at 03:12:49PM -0700, Russ Allbery wrote:
> Simon Wilkinson <sxw@inf.ed.ac.uk> writes:
> > The best way I am aware of is to get your Kerberos 5 credentials using a
> > 'normal' pam_krb5, running in the auth section of the stack. Then, use a
> > PAM AFS session module to use these to get AFS credentials at session
> > establishment (in the 'session' part of the PAM stack). There are two
> > such modules of which I am currently aware:
> > * Doug Engert's pam_afs2
> > (ftp://achilles.ctd.anl.gov/pub/DEE/pam_afs2-0.1.tar and
> > ftp://achilles.ctd.anl.gov/pub/DEE/gafstoken-0.2.tar)
> > *  Russ Allbery's pam_openafs_session
> > (http://www.eyrie.org/~eagle/software/pam-afs-session/)
> > We're currently using pam_afs2 here - I think it's likely we'll
> > investigate moving to pam_openafs_session for our next major release.
> Very minor correction: my module is pam-afs-session.  pam_openafs_session
> was another module written by Sam Hartman and mostly used in Debian, which
> is being superseded with pam-afs-session for the Debian lenny release.

This is really good information. But for those like me who like to
avoid learning the depths of pam, it would be great to see some
pam.conf samples. 

Anyone have set of pam.configs they could perhaps put in a wiki

David Bear
phone: 	602-496-0424
fax: 	602-496-0955
College of Public Programs/ASU
University Center Rm 622
411 N Central
Phoenix, AZ 85007-0685
 "Beware the IP portfolio, everyone will be suspect of trespassing"