[OpenAFS] pam-afs-session on OS X Lion

Derrick Brashear shadow@gmail.com
Mon, 19 Dec 2011 14:04:27 -0500 

replace aklog with a shell script that outputs klist and aklog -d to a
file in /tmp and see what it's really doing.

all the below tells us is kerberos failed. knowing if you have
tickets, etc, would be much more interesting.

On Mon, Dec 19, 2011 at 1:00 PM, Dave Botsch <botsch@cnf.cornell.edu> wrote=
:
> hi, all.
>
> So, pam-afs-session doesn't seem to work on Lion, properly with:
>
> OpenAFS 1.6.0-1-g54686 built =A02011-09-02
>
> So, I can get Kerberos tickets and run aklog to successfully get tokens
> at the command prompt, and all works fine. However, if I try to get
> tokens whilst logging in, I run into the following problem:
>
> Dec 19 10:19:57 tmp29 authorizationhost[35432]:
> pam_afs_session(authorization): pam_sm_setcred: entry (0x1)
> Dec 19 10:19:57 tmp29 authorizationhost[35432]:
> pam_afs_session(authorization): running /usr/bin/aklog as UID 502
> Dec 19 10:19:57 tmp29 authorizationhost[35432]:
> pam_afs_session(authorization): aklog program /usr/bin/aklog returned 4
> Dec 19 10:19:57 tmp29 authorizationhost[35432]:
> pam_afs_session(authorization): pam_sm_setcred: exit (success)
>
> Note that I *do* get Kerberos tickets upon logging in from the built in
> pam_krb5.
>
> Here's my PAM config in /etc/pam.d/authorization :
>
> # authorization: auth account
> auth =A0 =A0 =A0 optional =A0 =A0 =A0 pam_krb5.so use_first_pass use_kcmi=
nit
> default_principal
> auth =A0 =A0 =A0 optional =A0 =A0 =A0 pam_ntlm.so use_first_pass
> auth =A0 =A0optional =A0 =A0 =A0 =A0pam_afs_session.so nopag always_aklog=
 debug
> auth =A0 =A0 =A0 required =A0 =A0 =A0 pam_opendirectory.so use_first_pass=
 nullok
> account =A0 =A0required =A0 =A0 =A0 pam_opendirectory.so
> session optional =A0 =A0 =A0 =A0pam_afs_session.so nopag always_aklog deb=
ug
>
> Thanks.
>
>
>
> --
> ********************************
> David William Botsch
> Programmer/Analyst
> CNF Computing
> botsch@cnf.cornell.edu
> ********************************
> _______________________________________________
> OpenAFS-info mailing list
> OpenAFS-info@openafs.org
> https://lists.openafs.org/mailman/listinfo/openafs-info



--=20
Derrick