[OpenAFS] pam with krb5 + openafs

Sergio Gelato Sergio.Gelato@astro.su.se
Wed, 19 May 2004 19:54:28 +0200


* David Miller [2004-05-19 15:20:05 +0100]:
> I'm running MIT krb5 and openafs 1.2.11 on debian (stable on servers, 
> testing+unstable on desktops)
> 
> I've yet to find a decent way to keep a users tokens refreshed.
> Ideally I'd like to have using login to their machines (using [x|g|k]dm) 
> obtain a renewable krb5 ticket (preferably with a longer initial 
> lifetime too), and have xlock or xscreensaver refresh their ticket/token.

Does it have to be the screen locker? While it would be fairly natural
for the PAM module to get a new TGT on unlock if the previous one has
expired, or even if it hasn't, for simple "kinit -R" one could have a
separate background daemon (started from the user's .gnomerc or what
not, within the PAG created by the login process). Just sleep a few
hours, wake up, kinit -R, go back to sleep if successful, exit if no
valid TGT. Throw in an aklog invocation too, if you're using the MIT
client-side tools; Heimdal kinit has afslog built in. The same script
can be used in long-running batch jobs etc.

> Is using something like xlock/xscreensaver with pam and appropraite pam 
> modules for krb5 and openafs the "normal" way of doing it ??

I've had good success on Debian woody with the pam_krb5 from
sourceforge.net (the June 2003 snapshot, which identifies itself
internally as 1.3-rc8). Linked against Heimdal rather than MIT;
that's not a problem in woody as long as you have no library conflicts
(don't try to mix MIT and Heimdal libs in the same process in Debian
woody; the problem should have been taken care of for sarge, although
I haven't actually tested it).

I don't know about normality, but I do have an
auth     sufficient     pam_krb5afs.so refresh_creds
in /etc/pam.d/xscreensaver, and an
auth     sufficient     pam_krb5afs.so forwardable
account  sufficient     pam_krb5afs.so
session  optional       pam_krb5afs.so
in /etc/pam.d/gdm .

There is almost certainly more than one way to do it.

> theres the pam_krb5 and pam_krb5afs from
> http://sourceforge.net/projects/pam-krb5/
> which can do everything (AFS token grabbing, refreshing of tokens, 
> setting ticket lifetime).
> But wont work with a 1.3 MIT kerberos 5 (its in the bug tracking), and I 
> cant seem to find the right krbafs library that it needs to support AFS 
> token grabbing.

I'm not sure about that MIT 1.3 issue, but unless it's an
incompatibility with the MIT KDC I'd suggest simply linking the PAM
modules against Heimdal's libs. You can use MIT for everything else.
If you run into ticketflags bit ordering issues in the credentials
cache, there is a fix for this in Heimdal 0.6.1 and newer:
[libdefaults] fcc-mit-ticketflags = true . (Will be the default in 0.7.)

> the pam modules that are part of openafs dont support kerberos 5.
> 
> libpam-openafs-session is part of debian, but wont refresh tokens and is 
> only a session pam module (xscreensaver needs an auth module).
> the pam_krb5 module that comes with debian doesnt support setting the 
> ticket lifetime, or obtaining a refreshable ticket.

There is also kpam, which kind of worked for me (until 2004-01-11
anyway), except that the versions I've looked at had no support for 
authenticating the KDC.
The pam_krb5 from sourceforge can do it, which is a big plus in my book.
(Try [appdefaults] pam = { validate = true } . You'll need a host/*
key in /etc/krb5.keytab, of course.)

> What are people using for desktop linux systems ?
> especially on debian.
> 
> Many thanks
> David