[OpenAFS] issue with Fedora 8 and retaining tokens after graphical login
Simon Wilkinson
sxw@inf.ed.ac.uk
Sat, 24 Nov 2007 19:46:52 +0000
On 24 Nov 2007, at 15:02, Andrew Cobaugh wrote:
> In the past (up until Fedora 8), afs has always Just Worked. The
> supplied pam_krb5 was able to obtain a tgt and tokens, both with sshd
> and when logging in through things like gdm.
We've always used either pam_afs2 or pam_afs_session to handle AFS
tokens, so I can't comment directly on the RedHat pam_krb5 module.
One common problem, however, is if you are calling pam_keyinit in the
session layer. This resets the default keyring, losing any tokens
that an auth stack module has inserted into the keyring during the
authenticate operation. I don't know enough about how the RedHat
module works to say if it can work around this - but I'd strongly
suggest that you look at Russ's pam_krb5 and pam_afs_session modules
(available from http://www.eyrie.org/) which will do the right thing
in this, and many other, cases.
Cheers,
Simon.