[OpenAFS] [FOR TESTING] pam_krb5 RPMs for RHEL4 that work properly (i386, x86_64)

Christopher Allen Wing wingc@engin.umich.edu
Fri, 6 May 2005 17:25:08 -0400 (EDT)

Several people have been asking me as well as the OpenAFS list about
problems with the pam_krb5 PAM module included with Red Hat Enterprise
Linux 4. It has several bugs, including:

	- doesn't work properly with dynroot enabled
	- may not work when your 'root.cell' volume is replicated across
	  more than 1 server

I finally got around to doing a proper fix for these issues. I rebuilt the
pam_krb5 RPM with the following changes:

1. pam_krb5 was basically doing 'fs whichcell /afs' to determine the name
of the local cell. So if you had dynroot enabled it wanted to obtain
tokens in a cell named 'dynroot'. I changed it to do the equivalent of 'fs
wscell' instead.

2. pam_krb5 only tries to get tokens for the local cell by default. I
changed it to also try to get tokens in the cell containing the user's
home directory, if different than the local cell.

3. pam_krb5 needs to know which Kerberos realm to use to obtain the AFS
service ticket. It basically uses the following procedure:

	fs whereis /afs/cell.name

	look up the DNS names of the file servers for /afs/cell.name

	use krb5_get_host_realm() on these DNS names to get the matching
	Kerberos realm

Aside from the question of whether or not this is the correct thing to do,
pam_krb5 was only passing a buffer big enough to hold 1 IP address when
looking up the servers containing /afs/cell.name. So if your root.cell
volume was replicated it would break. I fixed this.

4. Not all of the debugging statements in pam_krb5 were active, even when
'debug' was specified in the pam configuration files. Some of the
debugging statements that didn't work were instrumental in figuring out
what was wrong with the above problems.

5. I also packaged the 'afs5log' program. This is included with the source
code of pam_krb5, and basically does the same thing as 'aklog', except
using Red Hat's own AFS code instead of the actual AFS libraries.
It's useful for debugging purposes since it acts mostly identically to

You can download the updated RPMs from here:


I compiled them both for i386 and x86_64 (AMD Athlon64/Opteron/Intel

Hopefully, these should fix any problems people are having with pam_krb5
logins for users with AFS home directories. I don't know anything about
Fedora or other OSes, but I'd guess you should be able to recompile this
module on FC3 or similar systems at least.

I will be sending the patches to Red Hat very soon so hopefully future
versions of pam_krb5 will include the fixes.


Chris Wing