[OpenAFS-devel] [FOR TESTING] pam_krb5 RPMs for RHEL4 that work properly (i386, x86_64)

Harald Barth haba@pdc.kth.se
Mon, 09 May 2005 15:41:42 +0200 (MEST) 

> I finally got around to doing a proper fix for these issues. 

Nice :-)

> 1. pam_krb5 was basically doing 'fs whichcell /afs' to determine the name
> of the local cell. So if you had dynroot enabled it wanted to obtain
> tokens in a cell named 'dynroot'. I changed it to do the equivalent of 'fs
> wscell' instead.

Yes.

> 2. pam_krb5 only tries to get tokens for the local cell by default. I
> changed it to also try to get tokens in the cell containing the user's
> home directory, if different than the local cell.

Are you looking at TheseCells in configdir and $HOME/.TheseCells?

> 3. pam_krb5 needs to know which Kerberos realm to use to obtain the AFS
> service ticket. It basically uses the following procedure:
> 
> 	fs whereis /afs/cell.name
> 
> 	look up the DNS names of the file servers for /afs/cell.name
> 
> 	use krb5_get_host_realm() on these DNS names to get the matching
> 	Kerberos realm

That is tricky but I doubt if this is the right strategy. What if your
root.cell is in 2 different realms? (openafs.org was like that for a
while) I think you have to go with the local realm of the workstation
(DNS or krb5.conf) and if there is neither afs@WSREALM nor
afs/cell@WSREALM I think you may as well give up. You may want to try
afs/cell@CELL as a last way out.

> 4. Not all of the debugging statements in pam_krb5 were active, even when
> 'debug' was specified in the pam configuration files. Some of the
> debugging statements that didn't work were instrumental in figuring out
> what was wrong with the above problems.

Good. I never succeded in debugging PAM myself before.

> 5. I also packaged the 'afs5log' program. This is included with the source
> code of pam_krb5, and basically does the same thing as 'aklog', except
> using Red Hat's own AFS code instead of the actual AFS libraries.
> It's useful for debugging purposes since it acts mostly identically to
> pam_krb5.

Ah.

(I cut openafs-info from the recipients because this does not fit "info").

Harald.