[OpenAFS] aklog and PAM for Solaris

John Tang Boyland boyland@solomons.cs.uwm.edu
Sat, 20 Aug 2005 17:06:01 -0500

I've been able to transition to using Kerberos V with the help
of people on this list and Ken's migration kit (thanks!).  I put some
notes in the Wiki to fill in some gaps.

I notice that openafs-1.3.87 includes aklog (good!) but it seems to be
missing a PAM module that can be used with krb5.  The man page
pam_afs.5 says one should use pam_krb5 instead of pam_afs but of
course, pam_krb5 doesn't get AFS tokens.  Because of the way dtlogin
works on Solaris, you need to get tokens before the .profile/.cshrc is
sourced.  A PAM module seems to be the right thing.  There are old
notes talking about pam_aklog (on Martin Schultz's old AFS-Krb5 web
page that is only available in Google caches) including about
T. Clancy's pam_aklog with a dead URL.

(1) How do other sites handle this?  Is pam_aklog passe ?
(2) If not, how can I get it for Solaris ?
  (2b) Is there some reason why it isn't integrated with
       aklog in the src tree ?  (or in the PAM directory.)
(3) Can we get some documentation/help from this from Openafs.org ?
   There are many places that ancourage one to use krb5 instead
   of AFS kaserver, but one's left scrounging around in unofficial 
   RPM's off random websites to get something to work with Solaris.