[OpenAFS] Getting tokens for non-interactive services

Charles Clancy security@xauth.net
Tue, 4 Mar 2003 21:47:08 -0600 (CST)


On Tue, 4 Mar 2003, Frank Burkhardt wrote:
> On Sat, Mar 01, 2003 at 11:13:53PM -0600, Charles Clancy wrote:
> > On Sat, 1 Mar 2003, Frank Burkhardt wrote:
> > > On Wed, Feb 26, 2003 at 02:01:49PM -0600, Charles Clancy wrote:
> > >
> > > > Try removing the set_token from pam_openafs_session.  Perhaps your krb5
> > > > module isn't creating the krb5 credential cache until setcred, and since
> > > > samba properly supports setcred, it should be fine.
> > >
> > > Samba won't grant afs-authenticated access neither with nor without
> > > set_token.
> >
> > Can you turn up the Samba debug level (and the PAM debug level) to get
> > some relevent logs?
>
> How can I increase the pam debug level? The only debug-option I found was
> to add "debug" to any line of /etc/pam.d/samba . This doesn't show
> anything usefull. Is there a chance to switch the whole pam-stack into
> debug-mode?

As far as I know, the most modules will write debug stuff to syslog if the
debug option is set.  You'll probably need to configure syslog to actually
save those log entries.  I imagine it's not configure to save *.debug by
default.

Have you considered using pam_krb5afs, rather than pam_krb5 and
pam_openafs_session?

[ t charles clancy ]--[ tclancy@uiuc.edu ]--[ www.uiuc.edu/~tclancy ]