[OpenAFS] RHEL5 and pam_afs
Simon Wilkinson
sxw@inf.ed.ac.uk
Thu, 26 Mar 2009 09:58:13 +0000
On 26 Mar 2009, at 08:16, Atro Tossavainen wrote:
> This is probably a FAQ already.
>
> Upgraded a box to RHEL5 because a commercial application somebody
> needs has been compiled for that only and there isn't a way to get
> it to play with RHEL4.
>
> If on the text console, all is well. Through gdm, pam_afs lets the
> user log in, generates PAG, but no token. Can be sorted by manually
> issuing klog afterwards, but is a little cumbersome. Is there a way
> to get this to work in the regular fashion any more?
Is pam_keyinit in the stack? In RHEL5, you'll probably be using
keyring based PAGs, which require that the user's keyring not be
reinitialised after they've been set up. The pam_keyinit module
deletes any keys that may exist in the user's environment, so if it's
run before pam_afs you lose.
There _may_ also be problems if pam_afs uses the 'change the PAG of
my parent' feature of setpag. That's known not to work properly in
recent Linux kernels - see
But, seriously, pam_afs? When are you going to stop hurting yourself?
S.