[OpenAFS] debian, login, pam.d, home on afs and aklog

Sergio Gelato Sergio.Gelato@astro.su.se
Fri, 9 Sep 2005 13:16:45 +0200

* Lars Schimmer [2005-09-09 12:16:12 +0200]:
> I configured OpenAFS 1.4.0rc1 to obtain tickets via krb5 on login and
> users get tickets on login, but aklog isn't run, so they only got
> tickets, no tokens.

The Official Debian Way involves package libpam-openafs-session.
Use it as a session and/or auth module (the latter for situations
in which the session part of the stack is not run, e.g. reauthentication
by a screen saver).

Alternatively, one can use pam_krb5afs from some of the pam_krb5
implementations out there. I still use Sourceforge pam_krb5 (1.3), with
a patch to make it build with sarge's Heimdal library. Haven't tried
recent Red Hat pam_krb5 (2.x) yet.

> Anyone knows a easy way for users to get tokens on login?

Yes, use the right PAM modules. Details have been posted on this list
a few days ago, by Russ Allbery I believe.

> And: has anyone ticket forwarding running on debian sarge and has a
> small guide for it?

Straying off-topic here: this is purely a Kerberos, not an AFS question.

I do. It's mostly a matter of requesting forwardable TGTs. The easy way
is to specify
	forwardable = true
in /etc/krb5.conf. You can have more fine-grained control via the
[appdefaults] section if you wish. Then of course you need to configure
your GSS applications (ssh-krb5 etc.) to actually delegate the credentials.

(I'm running a slightly patched version of sarge's ssh-krb5. See #918
and #922 in the OpenSSH bug tracker.)