[OpenAFS] Help: Make UNIX traditional su command to get OpenAFS token
Derrick Brashear
shadow@gmail.com
Mon, 13 Jun 2011 11:16:15 -0400
as was explained in IRC last night, the system auth rules create a
PAG, but since you don't type a kerberos
password at su for root and thus get no ticket, you also get no token
and have no permissions.
you should succeed for uid 0 before calling the afs session module,
probably only for su.
On Mon, Jun 13, 2011 at 5:49 AM, Lee Eric <openlinuxsource@gmail.com> wrote=
:
> Hi,
>
> As I use ksu to the user it seems pam_afs_session can work well.
>
> [root@submit ~]# kinit huli
> Password for huli@HERDINGCAT.INTERNAL:
> [root@submit ~]# ksu huli
> Changing uid to huli (501)
> [huli@submit root]$
>
> But as I use su command it won't work can report that cannot access
> the home dir.
>
> [root@submit ~]# kinit huli
> Password for huli@HERDINGCAT.INTERNAL:
> [root@submit ~]# su -l huli
> su: warning: cannot change directory to
> /afs/herdingcat.internal/home/huli: Permission denied
> -bash: /afs/herdingcat.internal/home/huli/.bash_profile: Permission denie=
d
> -bash-4.1$
>
> Here's the /etc/pam.d/system-auth and /etc/pam.d/su configuration files.
>
> system-auth:
>
> auth =A0 =A0 =A0 =A0required =A0 =A0 =A0pam_env.so
> auth =A0 =A0 =A0 =A0sufficient =A0 =A0pam_unix.so nullok try_first_pass
> auth =A0 =A0 =A0 =A0requisite =A0 =A0 pam_succeed_if.so uid >=3D 500 quie=
t
> auth =A0 =A0 =A0 =A0sufficient =A0 =A0pam_krb5.so use_first_pass
> auth =A0 =A0 =A0 =A0optional =A0 =A0 =A0pam_afs_session.so
> auth =A0 =A0 =A0 =A0required =A0 =A0 =A0pam_deny.so
>
> account =A0 =A0 required =A0 =A0 =A0pam_unix.so broken_shadow
> account =A0 =A0 sufficient =A0 =A0pam_succeed_if.so uid < 500 quiet
> account =A0 =A0 [default=3Dbad success=3Dok user_unknown=3Dignore] pam_kr=
b5.so
> account =A0 =A0 required =A0 =A0 =A0pam_permit.so
>
> password =A0 =A0requisite =A0 =A0 pam_cracklib.so try_first_pass retry=3D=
3 type=3D
> password =A0 =A0sufficient =A0 =A0pam_unix.so sha512 shadow nullok
> try_first_pass use_authtok
> password =A0 =A0sufficient =A0 =A0pam_krb5.so use_authtok
> password =A0 =A0required =A0 =A0 =A0pam_deny.so
>
> session =A0 =A0 optional =A0 =A0 =A0pam_keyinit.so revoke
> session =A0 =A0 required =A0 =A0 =A0pam_limits.so
> -session =A0 =A0 optional =A0 =A0 =A0pam_systemd.so
> session =A0 =A0 [success=3D1 default=3Dignore] pam_succeed_if.so service =
in
> crond quiet use_uid
> session =A0 =A0 required =A0 =A0 =A0pam_unix.so
> session =A0 =A0 optional =A0 =A0 =A0pam_krb5.so
> session =A0 =A0 required =A0 =A0 =A0pam_afs_session.so
>
> su:
>
> auth =A0 =A0 =A0 =A0 =A0 =A0sufficient =A0 =A0 =A0pam_rootok.so
> auth =A0 =A0 =A0 =A0 =A0 =A0include =A0 =A0 =A0 =A0 system-auth
> account =A0 =A0 =A0 =A0 sufficient =A0 =A0 =A0pam_succeed_if.so uid =3D 0=
use_uid quiet
> account =A0 =A0 =A0 =A0 include =A0 =A0 =A0 =A0 system-auth
> password =A0 =A0 =A0 =A0include =A0 =A0 =A0 =A0 system-auth
> session =A0 =A0 =A0 =A0 include =A0 =A0 =A0 =A0 system-auth
> session =A0 =A0 =A0 =A0 optional =A0 =A0 =A0 =A0pam_xauth.so
>
> I noticed that su has quote system-auth but it seems not work properly.
>
> Could anyone tell me what's going on?
>
> Thanks very much.
>
> Eric
> _______________________________________________
> OpenAFS-info mailing list
> OpenAFS-info@openafs.org
> https://lists.openafs.org/mailman/listinfo/openafs-info
>
--=20
Derrick