[OpenAFS] Some questions (gssklog, openssh)

David Ferch dferch@gmx.net
Tue, 30 Sep 2003 22:07:44 +0200

Hello there,

I'm using OpenAFS 1.2.10 on Solaris 8/9 here. Two servers using SEAM for
Kerberos 5 authentication. The same two servers run openafs - so I can't
get an afs token direct at my clients, because the SEAM daemons using
ports 88 and 750. I implemented gssklog daemon and it runs fine. But I
can't get mod_gssklog work. It does nothing. I compiled it for 32 and
Here's what I added to /etc/pam.conf:

login  auth requisite	pam_authtok_get.so.1
login  auth required	pam_unix_auth.so.1
login  auth optional	pam_krb5.so.1 try_first_pass
login  auth optional	/opt/krb5/lib/security/pam_gssklog.so.1

I modified the sources to point to /opt/krb5/bin/gssklog. Now pam_krb5
get's an ticket and create /tmp/krb5c_<uid>. But pam_gssklog can't get an

Second question: I've got OpenSSH 3.7.1p2 work with patch from bugzilla
(someone posted it last week). Now kerberos credential forwarding and
authentication via gssapi works. But, how can I get an afs token for
writing the X11 token to ~/.Xauthority. Yes, I created ~/.ssh/environement
and set XAUTHORITY=/afs/.domain.net/users/dferch/.public/.Xauthority. The
path .public is writeable to system:anyone. OpenSSH allow userenvironments
(in sshd_config). But X11 forwarding won't work. SSHD complains about
writing to /afs/.domain.net/users/dferch/.Xauthority. I don't know why.
Maybe someone who gets it working can help me.

Oh, last question. Last week one of the two servers (with the lower ip .4
- only readonly copies) comes unavailable. After 10 minutes I can't access
my cell from clients. I've got "/afs: no such file or directory". The
second servers ip is .6 and it has all rw-volumes on it). I can't find
something about this failure. Does someone knows about ?

Thank you for your help.


Against TCPA - nothing fights like the opposition