[OpenAFS] PAM configuration?

Douglas E. Engert deengert@anl.gov
Thu, 25 May 2006 21:37:12 -0500 

Brady Catherman wrote:
> Perhaps you guys can get me going in the right direction here.. I  can't 
> seem to get pam to issue me an afs ticket to save my life.
> 
> When I log in I can get a Kerberos 5 ticket:
> bcatherm@thecube / $ klist
> Ticket cache: FILE:/tmp/krb5cc_1217_6L1UkL
> Default principal: bcatherm@IBEST.UIDAHO.EDU
> 
> Valid starting     Expires            Service principal
> 05/25/06 14:40:13  05/25/06 14:40:13  krbtgt/ 
> IBEST.UIDAHO.EDU@IBEST.UIDAHO.EDU
> 
> and I have setup OpenAFS to get me a ticket when I run aklog:
> bcatherm@thecube / $ aklog
> bcatherm@thecube / $ klist
> Ticket cache: FILE:/tmp/krb5cc_1217_6L1UkL
> Default principal: bcatherm@IBEST.UIDAHO.EDU
> 
> Valid starting     Expires            Service principal
> 05/25/06 14:40:13  05/25/06 14:40:13  krbtgt/ 
> IBEST.UIDAHO.EDU@IBEST.UIDAHO.EDU
> 05/25/06 14:44:27  05/25/06 14:40:13  afs@IBEST.UIDAHO.EDU
> 
> But I can not get pam_afs, pam_afs.krb or pam_afs2 to actually issue  
> the afs ticket on login. Using pam_afs2 I can run a script containing  
> my program:
> #!/bin/sh
> export > /tmp/env.out
> echo "/usr/bin/aklog $*" > /tmp/aklog.parm
> /usr/bin/aklog $* > /tmp/aklog.out 2> /tmp/aklog.err
> klist > /tmp/klist.out
> 
> In /tmp/klist.out I can see the output from klist and it contains the  
> afs token, but I can't seem to get this afs token to stick around  until 
> after the login process =)

Can you add a /usr/afsws/bin/tokens to you script to see if there is a token?
The klist shows a k5 ticket was obtained, but not if it was convertyed to a token.

What OS and version is this?

What is in the pam.conf?

Add debug as on option on the pam_afs2.so lines, then look in syslog.

Where is the output from /tmp/env.out, /tmp/aklog.*  and /tmp/klist.out

It sounds like you did not get a PAG.


> 
> Anybody have a setup working and some time to pull out the relevant  
> parts? (or even better, a recent document that works. =)
> 
> Thanks for your help =)
> 
> _______________________________________________
> OpenAFS-info mailing list
> OpenAFS-info@openafs.org
> https://lists.openafs.org/mailman/listinfo/openafs-info
> 
> 

-- 

  Douglas E. Engert  <DEEngert@anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444