[OpenAFS] Kerberos 5 / AFS / PAM
John Berninger
John_Berninger@ncsu.edu
Mon, 18 Jun 2001 13:20:41 -0400
Randy -
I saw the same behavior when attempting to set up Krb5 / AFS
integration; as I later figured out (with some help from people who'd
done it before), there is an undocumented 'feature' in the afs-krb5
migration kit; when you creatye the afs@realm principal, you must do so
by using kadmin.local with the -e option to specify an AFS salt for the
key. According to the documentation, and according to how I'm told it
should work, you shouldn't have to do this, but I wasn't able to get
anywhere until I invoked kadmin.local with the '-e "des-cbc-crc:afs3"'
option to create the afs principal. Once I did that, I was able to
transfer the keys as the kit's documentation said, any aklog was happy
with me.
On Mon, 18 Jun 2001, Neulinger, Nathan wrote:
> That's normal. That 'AFS ID' stuff is completely cosmetic and has no actual
> effect. You could probably modify the pam module to set the AFS ID
> information if you absolutely want it.
>
> -- Nathan
>
> > -----Original Message-----
> > From: Randy Philipp [mailto:randy@umbc.edu]
> > Sent: Monday, June 18, 2001 10:50 AM
> > To: openafs-info@openafs.org
> > Subject: [OpenAFS] Kerberos 5 / AFS / PAM
> >
> >
> > I have been trying to to setup OpenAFS in a Kerberos 5 / AFS
> > environment
> > and I have been running into the following problem. The
> > token command is
> > not returning the AFS ID when listing tokens after my initial
> > login. I
> > have configured PAM to use the pam_krb5afs.so module to get
> > AFS tokens. I
> > get the following response from the tokens command:
> >
> > Tokens held by the Cache Manager:
> >
> > Tokens for afs@umbc.edu [Expires Jun 19 11:23]
> > --End of list--
> >
> > I appear to have tokens, and I have access to my AFS home directory.
> > While after I run afslog or klog, I get the following:
> >
> > Tokens held by the Cache Manager:
> >
> > User's (AFS ID xxxxxx) tokens for afs@umbc.edu [Expires Jun 19 11:23]
> > --End of list--
> >
> > I have been using the pam_krb5 RPM that comes with RedHat
> > 6.2, and I have
> > tried newer versions of this PAM module, but I still get the
> > same error.
> > While this error is minor, I am concerned that I may not be
> > configuring
> > PAM correctly, or I am using a non working version Kerberos.
> > Any help on
> > configuring PAM for AFS in a Kerberos 5 environment would be greatly
> > appreciated.
> >
> > Randy Philipp
> >
> >
> > _______________________________________________
> > OpenAFS-info mailing list
> > OpenAFS-info@openafs.org
> > https://lists.openafs.org/mailman/listinfo/openafs-info
> >
> _______________________________________________
> OpenAFS-info mailing list
> OpenAFS-info@openafs.org
> https://lists.openafs.org/mailman/listinfo/openafs-info
--
Thank you,
John Berninger
Systems Administrator John_Berninger@ncsu.edu
Department of Mathematics Box 8205, Harrelson Hall
NC State University Raleigh, NC 27695
Phone: (919)515-6315 Fax: (919)515-3798
GPG Key ID: A8C1D45C
Fingerprint: B1BB 90CB 5314 3113 CF22 66AE 822D 42A8 A8C1 D45C
--