[OpenAFS] Re: [OpenAFS-devel] [FOR TESTING] pam_krb5 RPMs for RHEL4 that work properly (i386, x86_64)

Troy Benjegerdes hozer@hozed.org
Sat, 7 May 2005 23:08:06 -0500


This is not directly related to openafs, but does this module support
allowing users to change expired kerberos passwords via ssh
keyboard-interactive login?

On Fri, May 06, 2005 at 05:25:08PM -0400, Christopher Allen Wing wrote:
> Several people have been asking me as well as the OpenAFS list about
> problems with the pam_krb5 PAM module included with Red Hat Enterprise
> Linux 4. It has several bugs, including:
> 
> 	- doesn't work properly with dynroot enabled
> 	- may not work when your 'root.cell' volume is replicated across
> 	  more than 1 server
> 
> 
> I finally got around to doing a proper fix for these issues. I rebuilt the
> pam_krb5 RPM with the following changes:
> 
> 1. pam_krb5 was basically doing 'fs whichcell /afs' to determine the name
> of the local cell. So if you had dynroot enabled it wanted to obtain
> tokens in a cell named 'dynroot'. I changed it to do the equivalent of 'fs
> wscell' instead.
> 
> 2. pam_krb5 only tries to get tokens for the local cell by default. I
> changed it to also try to get tokens in the cell containing the user's
> home directory, if different than the local cell.
> 
> 3. pam_krb5 needs to know which Kerberos realm to use to obtain the AFS
> service ticket. It basically uses the following procedure:
> 
> 	fs whereis /afs/cell.name
> 
> 	look up the DNS names of the file servers for /afs/cell.name
> 
> 	use krb5_get_host_realm() on these DNS names to get the matching
> 	Kerberos realm
> 
> Aside from the question of whether or not this is the correct thing to do,
> pam_krb5 was only passing a buffer big enough to hold 1 IP address when
> looking up the servers containing /afs/cell.name. So if your root.cell
> volume was replicated it would break. I fixed this.
> 
> 4. Not all of the debugging statements in pam_krb5 were active, even when
> 'debug' was specified in the pam configuration files. Some of the
> debugging statements that didn't work were instrumental in figuring out
> what was wrong with the above problems.
> 
> 5. I also packaged the 'afs5log' program. This is included with the source
> code of pam_krb5, and basically does the same thing as 'aklog', except
> using Red Hat's own AFS code instead of the actual AFS libraries.
> It's useful for debugging purposes since it acts mostly identically to
> pam_krb5.
> 
> 
> You can download the updated RPMs from here:
> 
> 	http://www-personal.engin.umich.edu/~wingc/openafs/pam_krb5/2.1.2-1.fixed/
> 
> 
> I compiled them both for i386 and x86_64 (AMD Athlon64/Opteron/Intel
> EM32T).
> 
> 
> Hopefully, these should fix any problems people are having with pam_krb5
> logins for users with AFS home directories. I don't know anything about
> Fedora or other OSes, but I'd guess you should be able to recompile this
> module on FC3 or similar systems at least.
> 
> 
> 
> 
> I will be sending the patches to Red Hat very soon so hopefully future
> versions of pam_krb5 will include the fixes.
> 
> 
> Thanks,
> 
> Chris Wing
> wingc@engin.umich.edu
> _______________________________________________
> OpenAFS-devel mailing list
> OpenAFS-devel@openafs.org
> https://lists.openafs.org/mailman/listinfo/openafs-devel

-- 
--------------------------------------------------------------------------
Troy Benjegerdes                'da hozer'                hozer@hozed.org  

Somone asked my why I work on this free (http://www.fsf.org/philosophy/)
software stuff and not get a real job. Charles Shultz had the best answer:

"Why do musicians compose symphonies and poets write poems? They do it
because life wouldn't have any meaning for them if they didn't. That's why
I draw cartoons. It's my life." -- Charles Shultz