[OpenAFS] Receiving openafs token per Kerberos 5

michael@derhammer.net michael@derhammer.net
Wed, 20 Feb 2008 17:19:20 +0100

Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

Hi at all!

I am trying to use single sign on openssh with kerberos. The authentication=
 part is already working. Now I have the problem of receiving a token after=
 the login. As far as I understand this is the job of pam_afs_session.so. S=
o here is my system-auth which is included in /etc/pam.d/ssh

auth    required    pam_env.so
auth    [success=3Dok default=3D1] pam_krb5.so try_first_pass
auth    [default=3Ddone] pam_afs_session.so
auth    sufficient  pam_unix.so likeauth nullok try_first_pass
auth    sufficient  pam_ldap.so use_first_pass
auth    required  pam_deny.so

account    sufficient   pam_krb5.so
account    sufficient   pam_ldap.so
account    sufficient   pam_localuser.so
account    required   pam_unix.so

password   required     pam_cracklib.so difok=3D2 minlen=3D8 dcredit=3D2 oc=
redit=3D2 retry=3D3
password   sufficient   pam_krb5.so
password   sufficient   pam_unix.so nullok use_authtok shadow md5
password   required     pam_deny.so

session  optional  pam_krb5.so
session  sufficient pam_afs_session.so
session  optional pam_ldap.so
session  sufficient pam_unix.so

But pam_afs_session.so is posting following error:

sshd[22617]: (pam_afs_session): no token program set in PAM arguments

This error message is comming twice. I would say for auth and session. I am=
 really out of ideas especially because everything is working fine with a l=
ocal login. I can't see the difference to the ssh login because the auth pa=
rt with krb is working AND I do have the krb token after login. A simple ak=
log is enough to receive the token and I can acces my home directory ...

help is really appreciated, g


Michael Hammer                                                /      |
GPG-Key-ID: 0x1BA5F0DE                                        \______|
GPG-Fingerprint:                                                 ||
  8704 11D1 048A 2F24 89D0  6B9E 3EC4 6EDF 1BA5 F0DE             ||
phone: +43 (0) 650 86 33 55 8                                    ||
Graz - AUSTRIA                                                   ||
http://www.michael-hammer.at/           michael@derhammer.net    ~~
Content-Type: application/pgp-signature
Content-Disposition: inline

Version: GnuPG v2.0.7 (GNU/Linux)