[OpenAFS] gdm + openafs-session management
Klaas Hagemann
kerberos@northsailor.de
Thu, 26 Sep 2002 18:21:19 +0200
Hi to all,
I still have many problems in getting the gdm login manager working with
pam_openafs-krb5 the right way.
Logging in is no problem, only to log out causes many problems.
Here is my /etc/pam.d/gdm on Suse Linux 8.0:
#%PAM-1.0
auth required /lib/security/pam_nologin.so
auth sufficient /lib/security/pam_unix_auth.so try_first_pass
auth required /lib/security/pam_krb5.so use_first_pass
account sufficient /lib/security/pam_unix_acct.so
account required /lib/security/pam_ldap.so
password required /lib/security/pam_cracklib.so
password sufficient /lib/security/pam_ldap.so
password required /lib/security/pam_pwdb.so use_first_pass
session required /lib/security/pam_unix_session.so
session optional /lib/security/pam_krb5.so
session optional /lib/security/pam_openafs-krb5.so debug
pam_openafs-krb5 returns PAM_SUCCESS, but it seems to cause errors in the
pam_krb5.
Therefore logout hangs after finishing the pam_openafs-krb5.
When i create a local home directory the problem occurs as well, so it does
not hang because of not being able to write something in the home directory.
When i modify the pam_openafs-krb5 that way, that it only returns
PAM_SUCCESS and does nothing, i can log out with no problems.
But then i cannot log in back again, because the still existent afs-token
does not match to the kerberos ticket, as far as i can see it. However, the
system uses 99% of the ressources to "convert kerberos tickets" and does not
want to end.
I tried to use aklog and unlog in the Presession and Postsession scripts,
but authentication to afs is to late at this point.
Thanks for any comments, i will try them all.
Klaas