[OpenAFS] home on afs woes
Wed, 11 Jan 2006 00:45:38 -0800
Juha J=E4ykk=E4 <firstname.lastname@example.org> writes:
> I would have thought pam_krb5.so  does this by itself, but apparently
> I am mistaken (again).
It's only a PAM module for Kerberos. It doesn't know anything about AFS.
> While it would be relatively easy to write a small pam module to handle
> the creation of a suitable PAG, I must wonder whether one exists
libpam-openafs-session in Debian. There are others floating around as
> Anything that depends on aklog from openafs-krb5 will not do since it
> just segfaults (probably the AES keys again, but I did not test this
Ah. Well, either you're going to have to create a DES key for AFS or
you're going to have to run the kaserver and use Kerberos v4 for AFS. AFS
doesn't do AES, at all. If you do have a DES key for AFS, I don't see why
that aklog wouldn't work, but it's also fairly old. Soon we'll have the
OpenAFS aklog packaged for Debian.
> By the way, is Heimdal's kinit/afslog at fault here for not creating the
> proper PAG?
Generally a process has to put itself in a PAG. There's an ugly hack for
putting your parent process in a PAG (and for right now
libpam-openafs-session even relies on it), but it's not the default. You
don't really want to do that without being in control of it; otherwise,
running kinit would, for instance, sever your PAG from the PAG of any
background processes spawned in the same shell. That's not what people
normally expect to have happen.
>  The version from :pserver:email@example.com:/usr/local/CVS
> - it looks like it's the old RedHat pam_krb5.so emerged with the sf.net
> version and with still active development unlike any other pam_krb5.so I
> can find.
The Red Hat Kerberos PAM module scares me. The PAM module in Debian is
under active development with a different upstream and handles some things
better (and will handle quite a few more things better when I find time to
get the next version uploaded).
Russ Allbery (firstname.lastname@example.org) <http://www.eyrie.org/~eagle/>