[OpenAFS] Problem with pam on debian with 1.3.81 kernel 2.6.11
Lars Schimmer
schimmer@cg.cs.tu-bs.de
Thu, 14 Apr 2005 15:30:23 +0200
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Simon Lyngshede schrieb:
| On Thu, Apr 14, 2005 at 12:59:13PM +0200, Lars Schimmer wrote:
|
|>-----BEGIN PGP SIGNED MESSAGE-----
|>Hash: SHA1
|>
|>Hi!
|>
|>I setup pam conf on debian sarge like it was written here:
|>http://mailman.mit.edu/pipermail/kerberos/2004-October/006601.html
|>
|>And tried to login and get my tokens.
|>
|>I can login, but can't get any tickets. I hace to call kinit manually to
|>get a
|>ticket and after that aklog to obtain a token.
|>Has anyone a working conf on debian sarge for me?
|>
|
|
| The following works on my setup, Debian Sarge, Kerberos 5 and OpenAFS
|
| You need the libpam-openafs-session and libpam-krb5 (MIT Kerberos)
|
| The following is just the Kerberos and AFS part of my PAM
| configuration, note that there is no common-password, I don't use it,
| but I suspect that it wouldn't be much different.
|
| /etc/pam.d/common-account:
| account sufficient pam_krb5.so
|
| /etc/pam.d/common-account:
| auth sufficient pam_krb5.so
|
| /etc/pam.d/common-session:
| session optional pam_krb5.so
| session optional pam_openafs_session.so
|
| The "KerberosTgtPassing yes" won't work on Sarge, as the Debian
| package doesn't support that, so you'll need to compile OpenSSH
| yourself. Step 2 and 3 in the guide you refere to are redundant if let
| PAM handle everything. The downside is that you won't be able to use
| ssh keys, which brings you back to recompiling SSH yourself. The
| ssh-krb5 package doesn't really seem to contain as many features as
| one would like. I might be wrong, but I failed to make it work.
So, changed PAM to nearly ONLY that entrys, and yes, it works. Kerberos5 Auth
user can login and get tickets and tokens. *fine*
And in common-auth I let the unix login uncommented, and root can login, to.
So far so goog :-)
Now the experienced topics. I've installed the latest ssh-krb package.
But limited time today, so tomorrow I'll test ticketforwarding and login with
ssh keys.
Oh, one more question:
PAM is really a mess for me.
How to change the kscreensaver to work with kerberos? I think it will be very
annoying if the user locks the screen and can't unlock it...
| Simon
Thx so far
Lars
- --
- -----------------------------------------------------------------
Technische Universität Braunschweig, Institut für Computergraphik
Tel.: +49 531 391-2109 E-Mail: schimmer@cg.cs.tu-bs.de
PGP-Key-ID: 0xB87A0E03
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
iD8DBQFCXnBuVguzrLh6DgMRAnKSAKC/A/wPk6xGQpeSa0nD0us6cfs7/wCeLQjX
aPIZ+XaP4LSNBgvHb7Go5w8=
=J3jN
-----END PGP SIGNATURE-----