[OpenAFS] Re: openSuSE 10.1 krb5 through windows kdc, openafs
Thu, 12 Apr 2007 21:43:04 +0100 (BST)
On Thu, 12 Apr 2007, Joe Buehler wrote:
> Alexander Al wrote:
>> Is there someone who could tell me how I should configure PAM
>> with krb5 with a Windows kdc and openafs client 1.4.x ?
> My own related question -- What is the "best" way to get AFS tokens
> during login when using krb5? There seems to be more than one way
> to do it, as far as PAM goes, and it is not clear to me what is
> currently best practice.
The best way I am aware of is to get your Kerberos 5 credentials using a
'normal' pam_krb5, running in the auth section of the stack. Then, use a
PAM AFS session module to use these to get AFS credentials at session
establishment (in the 'session' part of the PAM stack). There are two such
modules of which I am currently aware:
* Doug Engert's pam_afs2
* Russ Allbery's pam_openafs_session
We're currently using pam_afs2 here - I think it's likely we'll
investigate moving to pam_openafs_session for our next major release.
The place you'll generally run into pain is with OpenSSH - due to its
unique method of calling the PAM stack. Doing everything in a session
module dramatically reduces this pain.