Fwd: [OpenAFS] issue with Fedora 8 and retaining tokens after graphical login
Paul Johnson
pauljohn32@gmail.com
Tue, 12 Feb 2008 17:12:21 -0600
Mistakenly sent this directly to Andrew, when I intended to send to
whole list in order to gather feedback.
---------- Forwarded message ----------
From: Paul Johnson <pauljohn32@gmail.com>
Date: Feb 12, 2008 5:11 PM
Subject: Re: [OpenAFS] issue with Fedora 8 and retaining tokens after
graphical login
To: Andrew Cobaugh <phalenor@gmail.com>
On Nov 24, 2007 9:02 AM, Andrew Cobaugh <phalenor@gmail.com> wrote:
> In the past (up until Fedora 8), afs has always Just Worked. The
> supplied pam_krb5 was able to obtain a tgt and tokens, both with sshd
> and when logging in through things like gdm.
>
> I recently upgraded from 7 to 8. Logging in through sshd works
> perfectly, but gdm stopped working. I get a tgt, but not tokens. Odd
> thing is if I set pam_krb5 to debug in /etc/pam.d/system-auth, I get
> all kinds of debug messages in /var/log/secure as expected when going
> in through ssh, but I get none of this with gdm, so it's almost as if
> gdm is skipping over pam, which doesn't make sense.
>
> So, has anyone had trouble with Fedora 8 and afs in this respect? I've
> downgraded to the pam_krb5 from Fedora 7 (pam_krb5-2.2.11-1), and that
> hasn't fixed it. I suspect either something with gdm, or something
> weird they're doing because of all of this ConsoleKit stuff...
>
> Ideas?
>
> --
> Andy Cobaugh
Yes, I have had this trouble too. I am able to get the system to
authenticate against the Openafs server, but the system does not
remember the password/token long enough to mount the afs share. I
have devised a work around.
We have logins against several different kinds of servers. In the
system-auth, I have the pam lines for all kinds of authentication.
When user gives a password, it is checked and the login proceeds.
After the login is accepted, I have a configuration set in the
gdm/PreSession. THat uses Zenity to ask the user for an AFS password.
If the user gives one, then the token is created and the login work is
done. ALthough this is tedious in that it asks for a password twice,
it does work.
In /etc/gdm/PreSession/Default, I added these lines
chown -R $USER $HOME
/usr/local/bin/mountKUShare
and the mountKUShare script is below. This runs as root, I started
doing it that way when we were having users on both a Novell server
and the AFS. Now we no longer do Novell, so could drop it to
PostSession, I think, but I don't have time to experiment.
This script does a lot of crap of creating a backup set of user
configurations and copying config from the afs server. That gives us
a poor man's "roaming desktop". But if you ignore that stuff, just
look at the end for the use of "zenity" to ask for the password. I
mean this part specifically:
pwd=`zenity --entry --hide-text --text "Does your account '$USER'
have folders on the AFS server? To mount them on the desktop, give
$USERs AFS Password!"`
mymnt=`klog $USER -password $pwd`
I hate it when people don't post complete, working scripts, so here is
the whole thing, that does work.
------------------------------------mountKUShare
#!/bin/bash
#
PATH="/usr/X11R6/bin:$PATH:/bin:/usr/bin"
createAFSLink(){
THELINK=$1
base=`basename $THELINK`
fulllocal="$HOME/$base"
if [ -e $THELINK ] ; then
if [ ! -h $fulllocal ] ; then
rsync -ra $fulllocal $HOME/.Config_Backups
rm -rf $fulllocal
fi
ln -sf $THELINK $HOME
fi
chown -h $USER.polsusers $fulllocal
}
rsyncAFSLink(){
THELINK=$1
base=`basename $THELINK`
fulllocal="$HOME/$base"
if [ -e $THELINK ] ; then
if [ ! -h $fulllocal ] ; then
rsync -ra $fulllocal --exclude=Cache* $HOME/.Config_Backups
rm -rf $fulllocal
fi
rsync -ra --size-only --exclude=Cache* $THELINK $HOME
fi
chown -R $USER.polsusers $fulllocal
}
doAFSMountWork() {
THESERVER=$1
echo "Inside doAFLMountWork " >> /tmp/checkpoint
echo $THESERVER >> /tmp/checkpoint
if [ -e "$HOME/Desktop/$THESERVER/LabDesk/.mozilla" ] ; then
rsyncAFSLink "$HOME/Desktop/$THESERVER/LabDesk/.mozilla"
echo "mozilla! in AFS server $USER $HOME" >> /tmp/checkpoint
fi
if [ -d "$HOME/Desktop/$THESERVER/LabDesk/.thunderbird" ] ; then
rsyncAFSLink "$HOME/Desktop/$THESERVER/LabDesk/.thunderbird"
fi
for i in $HOME/Desktop/$THESERVER/LabDesk/.gn* ; do
createAFSLink $i
done
for i in $HOME/Desktop/$THESERVER/LabDesk/.kde* ; do
createAFSLink $i
done
for i in $HOME/Desktop/$THESERVER/LabDesk/.gc* ; do
createAFSLink $i
done
for i in $HOME/Desktop/$THESERVER/LabDesk/.bash* ; do
createAFSLink $i
done
for i in $HOME/Desktop/$THESERVER/LabDesk/.unis* ; do
createAFSLink $i
done
if [ -e "$HOME/Desktop/$THESERVER/LabDesk/.metacity" ]; then
createAFSLink "$HOME/Desktop/$THESERVER/LabDesk/.metacity"
fi
for i in $HOME/Desktop/$THESERVER/LabDesk/.n* ; do
createAFSLink $i
done
for i in $HOME/Desktop/$THESERVER/LabDesk/.em* ; do
createAFSLink $i
done
for i in $HOME/Desktop/$THESERVER/LabDesk/.l* ; do
createAFSLink $i
done
rsync -ra --size-only $HOME/Desktop/$THESERVER/LabDesk/.ssh $HOME
if [ -d "$HOME/.ssh" ] ; then
chown $USER $HOME/.ssh
chmod -R go-rwx $HOME/.ssh
fi
if [ -e "$HOME/Desktop/$THESERVER/LabDesk/GNUstep" ]; then
createAFSLink "$HOME/Desktop/$THESERVER/LabDesk/GNUstep"
fi
}
if [ ! -d $HOME/Desktop ]; then
mkdir $HOME/Desktop;
chown -R $USER $HOME/Desktop;
fi
# some output for easy debugging
echo "new login beginning $USER $HOME" >> /tmp/checkpoint
#if [ ! -e /afs/ku.edu/usr/pols ]; then
pwd=`zenity --entry --hide-text --text "Does your account '$USER'
have folders on the AFS server? To mount them on the desktop, give
$USERs AFS Password!"`
mymnt=`klog $USER -password $pwd`
MOUNTED=$?
echo "MOUNTED = $MOUNTED" >> /tmp/checkpoint
#fi
if [ $MOUNTED != 0 ]; then
zenity --error --title="Not Mounting Server" --text "Effort to
attach Server folders failed"
else
if [ -e /afs/ku.edu/usr/pols ]; then
ln -sf /afs/ku.edu/usr/pols $HOME/Desktop/AFS_pols_group
echo "1: afs exists" >> /tmp/checkpoint
else
echo "1: no damn pols afs point" >> /tmp/checkpoint
fi
AFSSERVER="AFS_My_Documents"
if [ -e /afs/ku.edu/usr/pols ]; then
if [ -h $HOME/Desktop/$AFSSERVER ] ; then
rm $HOME/Desktop/$AFSSERVER
fi
# `find /afs/ku.edu/usr/pols /afs/ku.edu/usr/pols/students
-maxdepth 1 -name $USER -exec ln -sf {} $HOME/Desktop/$AFSSERVER \; 2>
/dev/null`
if [ -w /afs/ku.edu/usr/pols/students/$USER ] ; then
ln -sf /afs/ku.edu/usr/pols/students/$USER $HOME/Desktop/$AFSSERVER
elif [ -w /afs/ku.edu/usr/pols/$USER ] ; then
ln -sf /afs/ku.edu/usr/pols/$USER $HOME/Desktop/$AFSSERVER
fi
mkdir -p $HOME/.Config_Backups
echo "2: found AFS=$AFSSERVER, created link" >> /tmp/checkpoint
doAFSMountWork $AFSSERVER
else
echo "failed to start afs mount work" >> /tmp/checkpoint
fi
fi
exit 0
--
Paul E. Johnson
Professor, Political Science
1541 Lilac Lane, Room 504
University of Kansas
--
Paul E. Johnson
Professor, Political Science
1541 Lilac Lane, Room 504
University of Kansas