[OpenAFS] Solaris 10 (x86): pam_afs_session

Douglas E. Engert deengert@anl.gov
Fri, 25 Jan 2008 11:47:22 -0600 

Russ Allbery wrote:
> John Tang Boyland <boyland@cs.uwm.edu> writes:
> 
>> ] It looks like you're not running pam_krb5 in the session stack.  pam_krb5
>> ] should be listed in the session stack before pam_afs_session, and that
>> ] will probably fix the problem.
>>
>> (BTW: This is Sun-provided pam_krb5)
> 
> Ah, hm.  I wonder if the Sun-provided pam_krb5 won't write out the ticket
> cache during pam_open_session the way that mine will.
> 
> You may have to try Unix first and then try pam_krb5 so that you can put
> pam_afs_session into the auth group.  Something like:
> 
> dtlogin   auth requisite          pam_authtok_get.so.1
> dtlogin   auth required           pam_dhkeys.so.1
> dtlogin   auth required           pam_unix_cred.so.1
> dtlogin   auth sufficient         pam_unix_auth.so.1
> dtlogin   auth required           pam_krb5.so.1
> dtlogin   auth required           pam_afs_session.so.1

I believe you are correct. As a test I built the pam_afs_session-1.5
on Solaris 10, (sparc) using the Sun Kerberos, and OpenAFS 1.4.6
as I have been meaning to do this for some time to see if it could
replace pam_afs2. I  then modified /etc/pam.conf to call pam_afs_session
in a few places, (but not all yet) In all cases it is using the pam_sm_setcred
routine to set pag and/or get a token.

#DEE smartcard failed, so skip it for now
#dtlogin    auth requisite      pam_smartcard.so.1
dtlogin     auth requisite      pam_authtok_get.so.1
dtlogin     auth required       pam_dhkeys.so.1
dtlogin     auth required       pam_unix_cred.so.1
dtlogin     auth optional       pam_krb5.so.1
dtlogin     auth required       /krb5/lib/pam_afs_session.so.1 debug
#dtlogin        auth required       /krb5/lib/pam_afs2.so.1
# allows password login
dtlogin     auth optional       pam_unix_auth.so.1

#
# dtsession - lock/unlock screen, refresh creds and AFS token
#
dtsession   auth requisite      pam_authtok_get.so.1
dtsession   auth required       pam_dhkeys.so.1
dtsession   auth optional       pam_krb5.so.1
dtsession   auth required       /krb5/lib/pam_afs_session.so.1 debug
#dtsession  auth required       /krb5/lib/pam_afs2.so.1 nopag
# allows unlock with local password
dtsession   auth optional       pam_unix_auth.so.1

#
# xscreensaver used by gnome or CDE
#
xscreensaver    auth requisite      pam_authtok_get.so.1
xscreensaver    auth required       pam_dhkeys.so.1
xscreensaver    auth optional       pam_krb5.so.1
xscreensaver    auth required       /krb5/lib/pam_afs_session.so.1 debug
#xscreensaver    auth required      /krb5/lib/pam_afs2.so.1  nopag
# allows unlock with local password
xscreensaver    auth optional       pam_unix_auth.so.1
#


> 
> Alternately, you can use my pam-krb5 module, which will write out the
> ticket cache during open_session.
> 

-- 

  Douglas E. Engert  <DEEngert@anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444