[OpenAFS] home on afs woes

Russ Allbery rra@stanford.edu
Wed, 11 Jan 2006 00:45:38 -0800

Juha J=E4ykk=E4 <juolja@utu.fi> writes:

> I would have thought pam_krb5.so [1] does this by itself, but apparently
> I am mistaken (again).

It's only a PAM module for Kerberos.  It doesn't know anything about AFS.

> While it would be relatively easy to write a small pam module to handle
> the creation of a suitable PAG, I must wonder whether one exists
> already?

libpam-openafs-session in Debian.  There are others floating around as

> Anything that depends on aklog from openafs-krb5 will not do since it
> just segfaults (probably the AES keys again, but I did not test this
> point).

Ah.  Well, either you're going to have to create a DES key for AFS or
you're going to have to run the kaserver and use Kerberos v4 for AFS.  AFS
doesn't do AES, at all.  If you do have a DES key for AFS, I don't see why
that aklog wouldn't work, but it's also fairly old.  Soon we'll have the
OpenAFS aklog packaged for Debian.

> By the way, is Heimdal's kinit/afslog at fault here for not creating the
> proper PAG?

Generally a process has to put itself in a PAG.  There's an ugly hack for
putting your parent process in a PAG (and for right now
libpam-openafs-session even relies on it), but it's not the default.  You
don't really want to do that without being in control of it; otherwise,
running kinit would, for instance, sever your PAG from the PAG of any
background processes spawned in the same shell.  That's not what people
normally expect to have happen.

> [1] The version from :pserver:anoncvs@rhlinux.redhat.com:/usr/local/CVS
> - it looks like it's the old RedHat pam_krb5.so emerged with the sf.net
> version and with still active development unlike any other pam_krb5.so I
> can find.

The Red Hat Kerberos PAM module scares me.  The PAM module in Debian is
under active development with a different upstream and handles some things
better (and will handle quite a few more things better when I find time to
get the next version uploaded).

Russ Allbery (rra@stanford.edu)             <http://www.eyrie.org/~eagle/>