[OpenAFS] pam_afs_session in Fedora?

Brandon S Allbery KF8NH allbery.b@gmail.com
Fri, 18 Feb 2011 14:19:34 -0500


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 2/18/11 14:14 , Andy Cobaugh wrote:
> Just curious why you're not just using the stock pam_krb5? At least in a
> plain jane krb5 environment, pam_krb5 has worked fine for us (though I
> haven't tried very recent Fedora).

There are programs which don't do PAM right; in particular, they run
pam_krb5 in root's context instead of the user's context, which worst-case
results in a UID-based (no PAG) root token and no user token.  This works
fine with krb5 if they do it right, but the token is a side effect that
can't be corrected in the session module.

- -- 
brandon s. allbery     [linux,solaris,freebsd,perl]    allbery.b@gmail.com
system administrator  [openafs,heimdal,too many hats]                kf8nh
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk1exkYACgkQIn7hlCsL25WLdQCghW8UKlUCW0flyNT7JHvyaUbj
IlcAmwQWF5OUDUlzOVDqFfONcTzyEKm4
=aTbl
-----END PGP SIGNATURE-----