[OpenAFS] help with pam-openafs-session
Derek T. Yarnell
derek@cs.umd.edu
Thu, 15 May 2003 16:08:14 -0400
On Thu, May 15, 2003 at 11:06:16AM -0500, Charles Clancy wrote:
> On Tue, 13 May 2003, Renato Arruda wrote:
>
> > Hi,
> >
> > I'm running OpenAFS 1.2.7 w/ a MIT KDC. As you can see i can get krb5 tickets
> > and i can run aklog to get AFS tokens. i also have setup pam-openafs-session
> > so that i could get a token at login time without having to aklog for it and
> > so that i could store IMAP folders in home directories.
> > ...
> > session required /lib/security/pam_limits.so
> > session required /lib/security/pam_unix.so
> > session optional /lib/security/pam_krb5afs.so
> > session optional /lib/security/pam_openafs_session.so
>
> I doubt your IMAP server is calling pam_open_session when authenticating
> users. Your session modules are likely never executed. A "session" is
> supposed to only be opened when a TTY is actually allocated for the
> connection. For example, SSH will call the session modules only if you
> are really sshing in -- not if you're using scp.
>
> Can pam_openafs_session be used as an authentication module? Also, I
> didn't think you needed pam_openafs_session when using pam_krb5afs -- only
> when using pam_krb5.
No it is a session module only, I would think that maybe you need to
make sure it is running a setpag. It looks like you are getting tokens,
just not getting them propagated to your shell/process/etc.
So something like this in the pam_openafs_session.c
execle( AKLOG,"aklog","-d","-setpag",NULL,envi);
/* execle( AKLOG,"aklog",NULL,envi); */
--
---
Derek T. Yarnell
University of Maryland
Computer Science Department Unix Staff
derek@cs.umd.edu