[OpenAFS] tokens at login (pam_krb5afs module)
Christopher Allen Wing
wingc@engin.umich.edu
Mon, 25 Apr 2005 17:16:26 -0400 (EDT)
> As per the K5 migration info, I have an afs principal:
> afs@ECON.DUKE.EDU however, I note that the pam_krb5afs tries several other
> combinations, but not this one exactly. For example, it tries
> afs@ECON.DUKE.EDU, afs/econ.duke.edu@econ.duke.edu, and
> afs/econ.duke.edu@ECON.DUKE.EDU.
It looks like it tries 'afs@econ.duke.edu' instead of 'afs@ECON.DUKE.EDU':
> Apr 25 13:39:35 galactica sshd[28332]: pam_krb5[28332]: attempting to obtain tokens for "econ.duke.edu" ("afs@econ.duke.edu")
This would work except that it's using the wrong realm name (lowercase vs
uppercase). To determine the realm name, pam_krb5 either uses the default
realm name, or else it uses the Kerberos 5 function krb5_get_host_realm(),
which maps a domain name to a realm name via the [domain_realm] section in
/etc/krb5.conf.
Assuming that your AFS server has a valid IP address -> reverse DNS
mapping, and that this mapping is in the .econ.duke.edu domain, try adding
the following to /etc/krb5.conf:
[domain_realm]
econ.duke.edu = ECON.DUKE.EDU
.econ.duke.edu = ECON.DUKE.EDU
I'm also assuming that you only have 1 AFS server; otherwise, pam_krb5
will break in a different way.
At some point I'll try to get some patches to Red Hat to clean up some of
these issues with pam_krb5.
-Chris Wing
wingc@engin.umich.edu