[OpenAFS] home on afs woes

Russ Allbery rra@stanford.edu
Wed, 11 Jan 2006 14:33:37 -0800

Juha J=E4ykk=E4 <juhaj@iki.fi> writes:

>> Ah, okay, I didn't realize that.

> It's the best working solution I have been able to come up with. Its
> being monolithic makes it non-ideal, but it seems to work fine. It even
> parses krb5.conf's [appdefaults] pam =3D { ... } and is easy to
> configure. It even allows me to set non-default renew_timeouts and
> such. And it handles ssh/gssapi just fine. (Provided the symlink hassle
> in /afs/.../home/...)

Yeah, this is part of what scares me about it, since it builds its own
krb5.conf parser using lex and yacc.  Hopefully the new Kerberos v5
profile library API that's supposed to be coming in the next major release
will obviate the need for doing anything this horrible.

> I was curious and installed openafs-krb5 on one machine, ran aklog in
> gdb and did a stack trace after the segfault. It dies in
> krb5_get_host_realm() in libkrb5.so.3. It happens krb5_get_host_realm()
> cannot handle an *indented* comment within [domain_realm]! That is,

> [domain_realm]
> 	# foo
>         .tfy.utu.fi =3D TFY.UTU.FI

> causes a SIGSEGV, while

> [domain_realm]
> # foo
>         .tfy.utu.fi =3D TFY.UTU.FI

> does not.

This was fixed in the MIT Kerberos packages in Debian in version 1.3.6-4:

  * Allow whitespace before comments in krb5.conf.  Thanks, Jeremie
    Koenig.  (Closes: #314609)

but as I recall, you're using stable, which missed this fix by two Debian

It's MIT Kerberos RT #1988 and is one of 14 patches that are in the
current Debian packages and have been submitted upstream but which I don't
believe have been committed to the krb5 source tree yet.  :/

> I'll go back to checking the openafs-krb5 stuff now since aklog now
> works.  I would also appreciate any help on making aklog compile agains
> Heimdal, but it seems like a bigger thing - there are so many things to
> tackle.

You probably don't really need to do this, as Heimdal comes with an afslog
that should work fine -- although, I don't know if it supports the -setpag
flag to set a PAG for the parent process.  Unfortunately, doing PAM
properly requires either that or linking with the AFS libraries.

Linking with the AFS libraries will be easier in the 1.4.1 release since
there will then be a shared library that contains only the lsetpag()
function, at which point my intention is to significantly overhaul the way
that PAGs and aklog are handled in Debian.

> You'be been extremely helpful already. Thank you. It is not very common
> to find people as helpful as you.

I just wish I was better at understanding or guessing at what issues
you're running into.  :/  For whatever reason, I've guessed wrong rather
more frequently than I usually do.  But I'm learning a lot in the process!

Russ Allbery (rra@stanford.edu)             <http://www.eyrie.org/~eagle/>