[OpenAFS] pam_afs_session in Fedora?
Brandon S Allbery KF8NH
Fri, 18 Feb 2011 14:19:34 -0500
-----BEGIN PGP SIGNED MESSAGE-----
On 2/18/11 14:14 , Andy Cobaugh wrote:
> Just curious why you're not just using the stock pam_krb5? At least in a
> plain jane krb5 environment, pam_krb5 has worked fine for us (though I
> haven't tried very recent Fedora).
There are programs which don't do PAM right; in particular, they run
pam_krb5 in root's context instead of the user's context, which worst-case
results in a UID-based (no PAG) root token and no user token. This works
fine with krb5 if they do it right, but the token is a side effect that
can't be corrected in the session module.
brandon s. allbery [linux,solaris,freebsd,perl] email@example.com
system administrator [openafs,heimdal,too many hats] kf8nh
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
-----END PGP SIGNATURE-----