[OpenAFS] Fedora 7 pam_afs won't save tickets after login. How to find missing tokens, if they ever existed?

Russ Allbery rra@stanford.edu
Sat, 16 Jun 2007 04:27:24 -0700


Paul Johnson <pauljohn32@gmail.com> writes:

> I've been running FC5 and FC6 systems with openafs as an authentication
> server and file server.  After installing Fedora 7 this week and
> building openafs 1.4.4 for it, I find I am able to use the openafs
> authentication and also the login process does work to mount the afs
> drives and a script that copies some configuration files from the afs
> server to the local hard disk, which I have running through the
> PreSession options in the Gnome Display Manager (gdm), does run.
> However, when the session has started, the token is somehow lost, and
> the user is not allowed to look at files in /afs/ku.edu/usr anymore.  If
> the user quickly opens a terminal and runs "klog" then all is well, as
> the symbolic links from the server to the desktop are kept alive.

The short verison is "don't use pam_afs, it's obsolete and grody."  You
really want to use Kerberos v5 and a corresponding PAM stack.

If you have to use pam_afs, adding dont_fork to the options may help so
that it doesn't try to do the "set a PAG for my parent process" thing.
But it may not.

-- 
Russ Allbery (rra@stanford.edu)             <http://www.eyrie.org/~eagle/>