[OpenAFS] RHEL5 and pam_afs

Simon Wilkinson sxw@inf.ed.ac.uk
Thu, 26 Mar 2009 09:58:13 +0000

On 26 Mar 2009, at 08:16, Atro Tossavainen wrote:

> This is probably a FAQ already.
> Upgraded a box to RHEL5 because a commercial application somebody
> needs has been compiled for that only and there isn't a way to get
> it to play with RHEL4.
> If on the text console, all is well.  Through gdm, pam_afs lets the
> user log in, generates PAG, but no token.  Can be sorted by manually
> issuing klog afterwards, but is a little cumbersome.  Is there a way
> to get this to work in the regular fashion any more?

Is pam_keyinit in the stack? In RHEL5, you'll probably be using  
keyring based PAGs, which require that the user's keyring not be  
reinitialised after they've been set up. The pam_keyinit module  
deletes any keys that may exist in the user's environment, so if it's  
run before pam_afs you lose.

There _may_ also be problems if pam_afs uses the 'change the PAG of  
my parent' feature of setpag. That's known not to work properly in  
recent Linux kernels - see

But, seriously, pam_afs? When are you going to stop hurting yourself?