[OpenAFS] Kerberos 5 / AFS / PAM

John Berninger John_Berninger@ncsu.edu
Mon, 18 Jun 2001 13:20:41 -0400


Randy -

        I saw the same behavior when attempting to set up Krb5 / AFS
integration; as I later figured out (with some help from people who'd
done it before), there is an undocumented 'feature' in the afs-krb5
migration kit; when you creatye the afs@realm principal, you must do so
by using kadmin.local with the -e option to specify an AFS salt for the
key.  According to the documentation, and according to how I'm told it
should work, you shouldn't have to do this, but I wasn't able to get
anywhere until I invoked kadmin.local with the '-e "des-cbc-crc:afs3"'
option to create the afs principal.  Once I did that, I was able to
transfer the keys as the kit's documentation said, any aklog was happy
with me.

On Mon, 18 Jun 2001, Neulinger, Nathan wrote:

> That's normal. That 'AFS ID' stuff is completely cosmetic and has no actual
> effect. You could probably modify the pam module to set the AFS ID
> information if you absolutely want it.
> 
> -- Nathan
> 
> > -----Original Message-----
> > From: Randy Philipp [mailto:randy@umbc.edu]
> > Sent: Monday, June 18, 2001 10:50 AM
> > To: openafs-info@openafs.org
> > Subject: [OpenAFS] Kerberos 5 / AFS / PAM
> > 
> > 
> > I have been trying to to setup OpenAFS in a Kerberos 5 / AFS 
> > environment
> > and I have been running into the following problem.  The 
> > token command is
> > not returning the AFS ID when listing tokens after my initial 
> > login.  I
> > have configured PAM to use the pam_krb5afs.so module to get 
> > AFS tokens.  I
> > get the following response from the tokens command:
> > 
> > Tokens held by the Cache Manager:
> > 
> > Tokens for afs@umbc.edu [Expires Jun 19 11:23]
> >    --End of list--
> > 
> > I appear to have tokens, and I have access to my AFS home directory.
> > While after I run afslog or klog, I get the following:
> > 
> > Tokens held by the Cache Manager:
> > 
> > User's (AFS ID xxxxxx) tokens for afs@umbc.edu [Expires Jun 19 11:23]
> >    --End of list--
> > 
> > I have been using the pam_krb5 RPM that comes with RedHat 
> > 6.2, and I have
> > tried newer versions of this PAM module, but I still get the 
> > same error.
> > While this error is minor, I am concerned that I may not be 
> > configuring
> > PAM correctly, or I am using a non working version Kerberos.  
> > Any help on
> > configuring PAM for AFS in a Kerberos 5 environment would be greatly
> > appreciated.
> > 
> > Randy Philipp
> > 
> > 
> > _______________________________________________
> > OpenAFS-info mailing list
> > OpenAFS-info@openafs.org
> > https://lists.openafs.org/mailman/listinfo/openafs-info
> > 
> _______________________________________________
> OpenAFS-info mailing list
> OpenAFS-info@openafs.org
> https://lists.openafs.org/mailman/listinfo/openafs-info

-- 
Thank you,
John Berninger

Systems Administrator		John_Berninger@ncsu.edu
Department of Mathematics	Box 8205, Harrelson Hall
NC State University		Raleigh, NC 27695
Phone:  (919)515-6315		Fax:	(919)515-3798

GPG Key ID: A8C1D45C
        Fingerprint: B1BB 90CB 5314 3113 CF22  66AE 822D 42A8 A8C1 D45C
--