[OpenAFS] PAM, Samba and OpenAFS
Charles Clancy
security@xauth.net
Tue, 15 Jan 2002 15:08:48 -0600 (CST)
> I am having difficulty getting users configured so that they can SMB into
> their AFS directories. SMB is properly configured and users can reach
> directories not in AFS. I have this working successfully on a Sun system
> running Transarc AFS 3.6, with the AFS PAM module included under other.
> However on my RedHat 7.2 machine running OpenAFS 1.2.2 it does not seem to
> function with the PAM module in other and samba. Any ideas would be
> greatly appreciated.
Well, you obviously don't have a token. You're authenticationed, letting
you connect, but without a token you can't access the filesystem. I
assume you're using KAserver, not krb5 (per the PAM config). What version
of Samba are you using? After around 2.0.7, or so, they rearranged the
PAM client in Samba, so session management seems to be broken. For that
reason, you need to make sure you get a token in the auth phase. See
suggested config below.
> $ cat /etc/pam.d/samba
> auth sufficient /lib/security/pam_afs.so try_first_pass ignore_root
> auth required /lib/security/pam_stack.so service=system-auth
> account required /lib/security/pam_stack.so service=system-auth
auth sufficient /lib/security/pam_afs.so ignore_root set_token
auth required /lib/security/pam_stack.so service=system-auth
account required /lib/security/pam_stack.so service=system-auth
session required /lib/security/pam_afs.so
"try_first_pass" is meaningless for for the first module on the list.
There is no first pass to try. It simply results in a failed
authentication attempt with NULL password.
Without "set_token" you wouldn't get a token until the "session" phase of
PAM. For services such as scp, and broken-samba, that doesn't work.
I believe the transarc module (iirc -- it's been a while) has set_token by
default. ...used to have a source license for AFS 3.4a...
--
t. charles clancy <> tclancy@uiuc.edu <> www.uiuc.edu/~tclancy