[OpenAFS] Off-topic, anyone tried this?

Derek T. Yarnell derek@cs.umd.edu
Tue, 21 May 2002 18:55:46 -0400


On Tue, May 21, 2002 at 03:38:37PM -0700, Michael Lasevich wrote:
> I checked path, it was fine. I did not think this was an issue because I was
> already getting errors from aklog, so it was running.
> 
> I added -d flag to be passed to aklog and got this output:
> 
> (afscell is the name of the cell, afsserver is the name of the server and
> REALM is AD Realm name. (These are not the actual values, I replaced them.))
> -----------------------------------
> Authenticating to cell afscell (server afsserver.afscell).
> We've deduced that we need to authenticate to realm REALM.
> Getting tickets: afs/afscell@REALM
> Kerberos error code returned by get_cred: 22
> aklog: Couldn't get afscell AFS tickets:
> aklog: Invalid argument while getting AFS tickets
> ----------------------------
> I am suspecting it is something
> 

I got these same errors. I am guessing that it hasn't written out your ticket yet.
I don't have the pam-openafs-session  in the system-auth, i put it in login. (you
may also want to put it in gdm if you do it this way and others, ssh, etc, this is
not really the way you should do it but right now it works)

Also I am using the pam_krb5 module and not the pam_krb5afs. Don't know if that is
your problem. 

The way I debuged it was to change the aklog binary being called with a shell script
to print out the env and look at the /tmp dir to see what files were there when it
ran.

> > Make sure that you have changed the path in the pam_openafs_session.c to
> the
> > correct one for aklog.
> >
> > Also see my previous mail about the ordering.
> 
> Order is correct, but just in case, here is the "system-auth" file (extra
> set of eyes alwasy helps)
> 
> BTW, does anyone know which module sets the home dir? I get homedir not
> found BEFORE aklog runs, thus even if it does work, I'll have a problem with
> home dirs.
> 
> ---------------------------
> #%PAM-1.0
> # This file is auto-generated.
> # User changes will be destroyed the next time authconfig is run.
> auth        required      /lib/security/pam_env.so
> auth        sufficient    /lib/security/pam_unix.so likeauth nullok
> auth        sufficient    /lib/security/pam_krb5afs.so use_first_pass tokens
> debug
> auth        required      /lib/security/pam_deny.so
> 
> account     required      /lib/security/pam_unix.so
> 
> password    required      /lib/security/pam_cracklib.so retry=3 type=
> password    sufficient    /lib/security/pam_unix.so nullok use_authtok md5
> shadow nis
> password    sufficient    /lib/security/pam_krb5afs.so use_authtok debug
> password    required      /lib/security/pam_deny.so
> 
> session     required      /lib/security/pam_limits.so
> session     required      /lib/security/pam_unix.so
> session     optional      /lib/security/pam_krb5afs.so debug
> session     optional      /lib/security/pam_openafs_session.so debug
> --------------------------------------
> 
> Thank you.
> 
> -Michael
> 

-- 
---
Derek T. Yarnell
University of Maryland
Computer Science Department Unix Staff
derek@cs.umd.edu