[OpenAFS] debian, login, pam.d, home on afs and aklog
Sergio Gelato
Sergio.Gelato@astro.su.se
Fri, 9 Sep 2005 13:16:45 +0200
* Lars Schimmer [2005-09-09 12:16:12 +0200]:
> I configured OpenAFS 1.4.0rc1 to obtain tickets via krb5 on login and
> users get tickets on login, but aklog isn't run, so they only got
> tickets, no tokens.
The Official Debian Way involves package libpam-openafs-session.
Use it as a session and/or auth module (the latter for situations
in which the session part of the stack is not run, e.g. reauthentication
by a screen saver).
Alternatively, one can use pam_krb5afs from some of the pam_krb5
implementations out there. I still use Sourceforge pam_krb5 (1.3), with
a patch to make it build with sarge's Heimdal library. Haven't tried
recent Red Hat pam_krb5 (2.x) yet.
> Anyone knows a easy way for users to get tokens on login?
Yes, use the right PAM modules. Details have been posted on this list
a few days ago, by Russ Allbery I believe.
> And: has anyone ticket forwarding running on debian sarge and has a
> small guide for it?
Straying off-topic here: this is purely a Kerberos, not an AFS question.
I do. It's mostly a matter of requesting forwardable TGTs. The easy way
is to specify
[libdefaults]
forwardable = true
in /etc/krb5.conf. You can have more fine-grained control via the
[appdefaults] section if you wish. Then of course you need to configure
your GSS applications (ssh-krb5 etc.) to actually delegate the credentials.
(I'm running a slightly patched version of sarge's ssh-krb5. See #918
and #922 in the OpenSSH bug tracker.)