[OpenAFS] [aklog] pam integration (fwd)
Sebastian Roth
Sebastian.Roth@frm2.tum.de
Wed, 16 Apr 2003 17:38:20 +0200 (CEST)
Hi all,
yesterday I finished an basic openafs with kerberos 5 installation
(happy, docs will follow). ;)
Right now, there are still problems with aklog integration into pam.
Used versions:
RedHat 7.3
Kerberos V 1.2.7
OpenAFS 1.2.8
afs-krb5 2.0 (The migration kit I think) [1]
pam_openafs-krb5 1.0 (not sure, was included in debian unstable, so I
grabbed from there)
OpenSSH 3.6.1p1
Let start with /etc/pam.d/sshd
<conf>
#%PAM-1.0
auth required pam_nologin.so
auth required pam_env.so
auth sufficient pam_krb5.so forwardable
auth required pam_unix.so try_first_pass shadow
account sufficient pam_krb5.so forwardable
account required pam_unix.so try_first_pass shadow
password required pam_krb5.so forwardable
session sufficient pam_krb5.so forwardable
session required pam_openafs-krb5.so
session required pam_unix.so
</conf>
Current behavior is that user can log in, but don't have any rights to
their home directory. (ACL's are set up properly,btw). If they type in
`aklog` manually, access to their homes works.
So there could be a problem inside the pam-module. I walked through the
source of pam_openafs-krb5.so and aklog and inserted some `syslog`-calls.
Very interesting, it seems that aklog doesn't like the start out of the
pam-module as it gets started from there and failed with error message:
<msg>
aklog: Couldn't get admin.frm2 AFS tickets:
aklog: Invalid argument while getting AFS tickets
</msg>
Other solutions like putting aklog into /etc/profile or using other pam
modules (a.e. pam-aklog) didn't help.
Please give me a hint...
Thank you in advance,
Sebastian
[1] ftp://ftp.cmf.nrl.navy.mil/pub/kerberos5/afs-krb5-2.0.tar.gz