[OpenAFS] pam_afs_session on Fedora 11 clients with kerberos authentication (FreeIPA)

Russ Allbery rra@stanford.edu
Thu, 03 Sep 2009 11:08:45 -0700

Mauricio Villarroel <villarroel.mauricio@gmail.com> writes:

> 3. pam_afs_session:
> ---------------------------------------------

> pam_afs_session worked without problems in our end. Is there a plan to merge
> it into the main openafs-client codebase?

We've talked about it and mostly reached the conclusion that it was easier
to keep them separate on separate release cycles.  I'm curious what
benefit you'd see in the merger.  Mostly just having pre-build RPMs of the
module, or is there something else as well?

> 4. PAM and AFS tokens
> ---------------------------------------------

> This was kind of tricky. Our students had no problems login into the
> workstations with their kerberos credentials, the problem was that they
> were not getting their AFS tokens at login time, neither when they login
> into their graphical environment, nor when using ssh. Actually,
> pam_open_session or pam_setcred was getting correctly the tokens, but
> they were destroyed before the user gets a usable BASH or KDM session.

Something else was blowing away the session keyring, I suspect, and yes, I
see below that was the case.  This will be fixed in the next release of
pam-afs-session if you have a new enough AFS client to have the system
call to ask whether you already have a PAG, and as soon as I have a chance
to work on it.

> Part of my "/etc/krb5.conf" file contains:

>     [appdefaults]
>     pam = {
>       debug = false
>       ticket_lifetime = 36000
>       renew_lifetime = 36000
>       forwardable = true
>       krb4_convert = false
>       ignore_root = true
>       ignore_afs = true
>     }
>     pam-afs-session = {
>       minimum_uid = 100
>       ignore_root = true
>     }

> I had to put " ignore_afs = true", because otherwise pam_krb5 was trying
> to contact the afs server with different versions of kerberos tickets,
> part of my log files showed things such as:

Yeah, the Red Hat pam_krb5 has various odd problems.

> Reading the pam_afs_session, I realized that it has to be
> pam_keyinit.. I thought the settings in system-auth should be fine, but
> then in "/etc/pam.d/sshd" I found:

>       session    optional     pam_keyinit.so force revoke
>       session    include      system-auth

> Why forcing?, in fact, pam_keyinit was being called twice: by sshd and
> system-auth but When I commented out that line, everything worked fine,
> users got their tokens at login time, the same happens in the pam files:
> xdm, kdm.  I am not sure about the implications in Fedora of removing
> the "pam_keyinit.so force revoke", does some one know?

If you're not using keyrings for anything other than AFS PAGs, you don't
care.  It means the user isn't getting a session keyring for other
purposes, I think.

Russ Allbery (rra@stanford.edu)             <http://www.eyrie.org/~eagle/>