[OpenAFS-devel] OpenAFS and Samba

[Charles Clancy]

> Did anybody succeed getting an AFS token using a samba server with
Linux
> (and not AIX).

Well, my experience is with IBM-AFS 3.5 on Solaris, but to get Samba
2.0.7 to work with the AFS PAM module, I had to comment out the
pam_acct_mgmnt() line.  I've never been able to get Samba to do direct
AFS authentication.  There were always conflicts between the AFS and
Solaris crypto libraries.

Here's the patch:
--- samba-2.0.7/source/passdb/pass_check.c      Tue Jul 20 20:25:12
1999
+++ samba-2.0.7-hacked/source/passdb/pass_check.c       Wed Jan 10
10:02:55 2001
@@ -126,8 +126,8 @@
    * to do, but it is not clear that it isn't, either.  This can be
    * removed if no account management should be done.  Alternately,
    * put a pam_allow.so entry in /etc/pam.conf for account handling.
*/
-  pam_error = pam_acct_mgmt(pamh, PAM_SILENT);
-  PAM_BAIL;
+//  pam_error = pam_acct_mgmt(pamh, PAM_SILENT);
+//  PAM_BAIL;
   pam_end(pamh, PAM_SUCCESS);
   /* If this point is reached, the user has been authenticated. */
   return(True);

I emailed Samba about the PAM difficulties, and their response was:
"...add the pam_setcred() call from a patch submitted late last year.
The author indicated it was in direct relationship to pam_afs.so.
Would this solve your problem rather than commenting out the call to
pam_acct_mgmnt()?"


Basically, add the following line right before pam_end:
pam_error = pam_setcred(pamh, (PAM_ESTABLISH_CRED|PAM_SILENT));
_________________________________________
Charles Clancy, mgrtcc@cs.rose-hulman.edu
Senior UNIX Administrator, Rose-Hulman CS