[OpenAFS] Problem with pam on debian with 1.3.81 kernel 2.6.11

Simon Lyngshede simon@s-et.aau.dk
Thu, 14 Apr 2005 13:54:22 +0200


On Thu, Apr 14, 2005 at 12:59:13PM +0200, Lars Schimmer wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Hi!
> 
> I setup pam conf on debian sarge like it was written here:
> http://mailman.mit.edu/pipermail/kerberos/2004-October/006601.html
> 
> And tried to login and get my tokens.
> 
> I can login, but can't get any tickets. I hace to call kinit manually to 
> get a
> ticket and after that aklog to obtain a token.
> Has anyone a working conf on debian sarge for me?
> 

The following works on my setup, Debian Sarge, Kerberos 5 and OpenAFS

You need the libpam-openafs-session and libpam-krb5 (MIT Kerberos)

The following is just the Kerberos and AFS part of my PAM
configuration, note that there is no common-password, I don't use it,
but I suspect that it wouldn't be much different. 

/etc/pam.d/common-account:
account sufficient      pam_krb5.so

/etc/pam.d/common-account:
auth    sufficient      pam_krb5.so

/etc/pam.d/common-session:
session optional        pam_krb5.so
session optional        pam_openafs_session.so

The "KerberosTgtPassing yes" won't work on Sarge, as the Debian
package doesn't support that, so you'll need to compile OpenSSH
yourself. Step 2 and 3 in the guide you refere to are redundant if let
PAM handle everything. The downside is that you won't be able to use
ssh keys, which brings you back to recompiling SSH yourself. The
ssh-krb5 package doesn't really seem to contain as many features as
one would like. I might be wrong, but I failed to make it work.

Hope it helps

-- 
Simon
Do not assume that low-probability, high-impact events will not happen.