[OpenAFS] Solaris 10 (x86): pam_afs_session

John Tang Boyland boyland@cs.uwm.edu
Fri, 22 Feb 2008 12:31:18 -0600 

] Russ Allbery wrote:
] > John Tang Boyland <boyland@cs.uwm.edu> writes:
] > 
] >> ] It looks like you're not running pam_krb5 in the session stack.  pam_krb5
] >> ] should be listed in the session stack before pam_afs_session, and that
] >> ] will probably fix the problem.
] >>
] >> (BTW: This is Sun-provided pam_krb5)
] > 
] > Ah, hm.  I wonder if the Sun-provided pam_krb5 won't write out the ticket
] > cache during pam_open_session the way that mine will.
] > 
] > You may have to try Unix first and then try pam_krb5 so that you can put
] > pam_afs_session into the auth group.  Something like:
] > 
] > dtlogin   auth requisite          pam_authtok_get.so.1
] > dtlogin   auth required           pam_dhkeys.so.1
] > dtlogin   auth required           pam_unix_cred.so.1
] > dtlogin   auth sufficient         pam_unix_auth.so.1
] > dtlogin   auth required           pam_krb5.so.1
] > dtlogin   auth required           pam_afs_session.so.1
] 
] I believe you are correct. As a test I built the pam_afs_session-1.5
] on Solaris 10, (sparc) using the Sun Kerberos, and OpenAFS 1.4.6
] as I have been meaning to do this for some time to see if it could
] replace pam_afs2. I  then modified /etc/pam.conf to call pam_afs_session
] in a few places, (but not all yet) In all cases it is using the pam_sm_setcred
] routine to set pag and/or get a token.
] 
] #DEE smartcard failed, so skip it for now
] #dtlogin    auth requisite      pam_smartcard.so.1
] dtlogin     auth requisite      pam_authtok_get.so.1
] dtlogin     auth required       pam_dhkeys.so.1
] dtlogin     auth required       pam_unix_cred.so.1
] dtlogin     auth optional       pam_krb5.so.1
] dtlogin     auth required       /krb5/lib/pam_afs_session.so.1 debug
] #dtlogin        auth required       /krb5/lib/pam_afs2.so.1
] # allows password login
] dtlogin     auth optional       pam_unix_auth.so.1
] 
] #
] # dtsession - lock/unlock screen, refresh creds and AFS token
] #
] dtsession   auth requisite      pam_authtok_get.so.1
] dtsession   auth required       pam_dhkeys.so.1
] dtsession   auth optional       pam_krb5.so.1
] dtsession   auth required       /krb5/lib/pam_afs_session.so.1 debug
] #dtsession  auth required       /krb5/lib/pam_afs2.so.1 nopag
] # allows unlock with local password
] dtsession   auth optional       pam_unix_auth.so.1
] 
] #
] # xscreensaver used by gnome or CDE
] #
] xscreensaver    auth requisite      pam_authtok_get.so.1
] xscreensaver    auth required       pam_dhkeys.so.1
] xscreensaver    auth optional       pam_krb5.so.1
] xscreensaver    auth required       /krb5/lib/pam_afs_session.so.1 debug
] #xscreensaver    auth required      /krb5/lib/pam_afs2.so.1  nopag
] # allows unlock with local password
] xscreensaver    auth optional       pam_unix_auth.so.1
] #
] 
] -- 
] 
]   Douglas E. Engert  <DEEngert@anl.gov>
]   Argonne National Laboratory
]   9700 South Cass Avenue
]   Argonne, Illinois  60439
]   (630) 252-5444

Sorry, I finally have time to reply to this.  I tried both
suggestions but neither worked.  It still writes out
the kerberos token after calling pam_afs_session.

This is specific to dtlogin, sshd does fine.

The workaround to log in twice: first in failsafe session,
immediately log out, and then log in using the normal session.

John