Fwd: [OpenAFS] issue with Fedora 8 and retaining tokens after graphical login

Paul Johnson pauljohn32@gmail.com
Tue, 12 Feb 2008 17:12:21 -0600


Mistakenly sent this directly to Andrew, when I intended to send to
whole list in order to gather feedback.


---------- Forwarded message ----------
From: Paul Johnson <pauljohn32@gmail.com>
Date: Feb 12, 2008 5:11 PM
Subject: Re: [OpenAFS] issue with Fedora 8 and retaining tokens after
graphical login
To: Andrew Cobaugh <phalenor@gmail.com>


On Nov 24, 2007 9:02 AM, Andrew Cobaugh <phalenor@gmail.com> wrote:
> In the past (up until Fedora 8), afs has always Just Worked. The
> supplied pam_krb5 was able to obtain a tgt and tokens, both with sshd
> and when logging in through things like gdm.
>
> I recently upgraded from 7 to 8. Logging in through sshd works
> perfectly, but gdm stopped working. I get a tgt, but not tokens. Odd
> thing is if I set pam_krb5 to debug in /etc/pam.d/system-auth, I get
> all kinds of debug messages in /var/log/secure as expected when going
> in through ssh, but I get none of this with gdm, so it's almost as if
> gdm is skipping over pam, which doesn't make sense.
>
> So, has anyone had trouble with Fedora 8 and afs in this respect? I've
> downgraded to the pam_krb5 from Fedora 7 (pam_krb5-2.2.11-1), and that
> hasn't fixed it. I suspect either something with gdm, or something
> weird they're doing because of all of this ConsoleKit stuff...
>
> Ideas?
>
> --
> Andy Cobaugh

Yes, I have had this trouble too.  I am able to get the system to
authenticate against the Openafs server, but the system does not
remember the password/token long enough to mount the afs share.  I
have devised a work around.

 We have logins against several different kinds of servers. In the
system-auth, I have the pam lines for all kinds of authentication.
When user gives a password, it is checked and the login proceeds.
After the login is accepted, I have a configuration set in the
gdm/PreSession. THat uses Zenity to ask the user for an AFS password.
If the user gives one, then the token is created and the login work is
done.  ALthough this is tedious in that it asks for a password twice,
it does work.

In /etc/gdm/PreSession/Default, I added these lines

chown -R $USER $HOME

/usr/local/bin/mountKUShare

and the mountKUShare script is below.  This runs as root, I started
doing it that way when we were having users on both a Novell server
and the AFS.  Now we no longer do Novell, so could drop it to
PostSession, I think, but I don't have time to experiment.

This script does a lot of crap of creating a backup set of user
configurations and copying config from the afs server.  That gives us
a poor man's "roaming desktop".  But if you ignore that stuff, just
look at the end for the use of "zenity" to ask for the password. I
mean this part specifically:

   pwd=`zenity --entry --hide-text --text "Does your account '$USER'
have folders on the AFS server? To mount them on the desktop, give
$USERs AFS Password!"`
   mymnt=`klog $USER -password $pwd`

I hate it when people don't post complete, working scripts, so here is
the whole thing, that does work.

------------------------------------mountKUShare
#!/bin/bash
#
PATH="/usr/X11R6/bin:$PATH:/bin:/usr/bin"


createAFSLink(){
    THELINK=$1
    base=`basename $THELINK`
    fulllocal="$HOME/$base"
    if [  -e $THELINK ] ; then

       if [ ! -h $fulllocal ] ; then
        rsync -ra $fulllocal  $HOME/.Config_Backups
        rm -rf $fulllocal
        fi
    ln -sf $THELINK $HOME
    fi
    chown -h $USER.polsusers $fulllocal
}

rsyncAFSLink(){
    THELINK=$1
    base=`basename $THELINK`
    fulllocal="$HOME/$base"
    if [  -e $THELINK ] ; then

      if [ ! -h $fulllocal ] ; then
        rsync -ra $fulllocal --exclude=Cache*  $HOME/.Config_Backups
        rm -rf $fulllocal
      fi
    rsync -ra --size-only --exclude=Cache* $THELINK $HOME
    fi
    chown -R $USER.polsusers $fulllocal
}




doAFSMountWork() {
    THESERVER=$1
    echo "Inside doAFLMountWork " >> /tmp/checkpoint
    echo $THESERVER >> /tmp/checkpoint

    if [ -e "$HOME/Desktop/$THESERVER/LabDesk/.mozilla" ] ; then

        rsyncAFSLink "$HOME/Desktop/$THESERVER/LabDesk/.mozilla"
        echo "mozilla! in AFS server  $USER $HOME" >> /tmp/checkpoint
    fi

    if [ -d "$HOME/Desktop/$THESERVER/LabDesk/.thunderbird" ] ; then
        rsyncAFSLink "$HOME/Desktop/$THESERVER/LabDesk/.thunderbird"
    fi


    for i in $HOME/Desktop/$THESERVER/LabDesk/.gn* ; do
        createAFSLink $i
    done

    for i in $HOME/Desktop/$THESERVER/LabDesk/.kde* ; do
        createAFSLink $i
    done

    for i in $HOME/Desktop/$THESERVER/LabDesk/.gc* ; do
        createAFSLink $i
    done

    for i in $HOME/Desktop/$THESERVER/LabDesk/.bash* ; do
        createAFSLink $i
    done

   for i in $HOME/Desktop/$THESERVER/LabDesk/.unis* ; do
        createAFSLink $i
    done

    if [ -e "$HOME/Desktop/$THESERVER/LabDesk/.metacity" ]; then
        createAFSLink "$HOME/Desktop/$THESERVER/LabDesk/.metacity"
    fi

   for i in $HOME/Desktop/$THESERVER/LabDesk/.n* ; do
        createAFSLink $i
   done

    for i in $HOME/Desktop/$THESERVER/LabDesk/.em* ; do
        createAFSLink $i
    done

    for i in $HOME/Desktop/$THESERVER/LabDesk/.l* ; do
        createAFSLink $i
    done


    rsync -ra --size-only $HOME/Desktop/$THESERVER/LabDesk/.ssh $HOME

    if [ -d "$HOME/.ssh" ] ; then
        chown $USER $HOME/.ssh
        chmod -R go-rwx $HOME/.ssh
    fi


     if [ -e "$HOME/Desktop/$THESERVER/LabDesk/GNUstep" ]; then
         createAFSLink "$HOME/Desktop/$THESERVER/LabDesk/GNUstep"
     fi

}


if [ ! -d $HOME/Desktop ]; then
   mkdir $HOME/Desktop;

   chown -R $USER $HOME/Desktop;
fi




# some output for easy debugging
echo "new login beginning $USER $HOME" >> /tmp/checkpoint



#if [ ! -e /afs/ku.edu/usr/pols ]; then
   pwd=`zenity --entry --hide-text --text "Does your account '$USER'
have folders on the AFS server? To mount them on the desktop, give
$USERs AFS Password!"`
   mymnt=`klog $USER -password $pwd`
   MOUNTED=$?
   echo "MOUNTED = $MOUNTED" >> /tmp/checkpoint
#fi


if [ $MOUNTED != 0 ]; then
   zenity --error --title="Not Mounting Server" --text "Effort to
attach Server folders failed"
else


if [ -e /afs/ku.edu/usr/pols ]; then
   ln -sf /afs/ku.edu/usr/pols $HOME/Desktop/AFS_pols_group
   echo "1: afs exists" >> /tmp/checkpoint
else
   echo "1: no damn pols afs point" >> /tmp/checkpoint
fi


AFSSERVER="AFS_My_Documents"


if [ -e /afs/ku.edu/usr/pols ]; then

   if [ -h $HOME/Desktop/$AFSSERVER ] ; then
       rm $HOME/Desktop/$AFSSERVER
   fi


#    `find /afs/ku.edu/usr/pols /afs/ku.edu/usr/pols/students
-maxdepth 1 -name $USER -exec ln -sf {} $HOME/Desktop/$AFSSERVER \; 2>
/dev/null`

     if [ -w /afs/ku.edu/usr/pols/students/$USER ] ; then
        ln -sf /afs/ku.edu/usr/pols/students/$USER $HOME/Desktop/$AFSSERVER
     elif [  -w /afs/ku.edu/usr/pols/$USER ] ; then
         ln -sf /afs/ku.edu/usr/pols/$USER $HOME/Desktop/$AFSSERVER
     fi

   mkdir -p $HOME/.Config_Backups

   echo "2: found AFS=$AFSSERVER, created link"  >> /tmp/checkpoint
   doAFSMountWork $AFSSERVER

else
   echo "failed to start afs mount work" >> /tmp/checkpoint
fi

fi

exit 0






--
Paul E. Johnson
Professor, Political Science
1541 Lilac Lane, Room 504
University of Kansas



-- 
Paul E. Johnson
Professor, Political Science
1541 Lilac Lane, Room 504
University of Kansas