[OpenAFS] pam_afs_session in Fedora?
Ken Dreyer
ktdreyer@ktdreyer.com
Fri, 18 Feb 2011 12:33:06 -0700
On Fri, Feb 18, 2011 at 12:19 PM, Brandon S Allbery KF8NH
<allbery.b@gmail.com> wrote:
> On 2/18/11 14:14 , Andy Cobaugh wrote:
>> Just curious why you're not just using the stock pam_krb5? At least in a
>> plain jane krb5 environment, pam_krb5 has worked fine for us (though I
>> haven't tried very recent Fedora).
>
> There are programs which don't do PAM right; in particular, they run
> pam_krb5 in root's context instead of the user's context, which worst-cas=
e
> results in a UID-based (no PAG) root token and no user token. =C2=A0This =
works
> fine with krb5 if they do it right, but the token is a side effect that
> can't be corrected in the session module.
Right, I want PAG support and the other benefits of pam_afs_session.
RedHat's pam_krb5's AFS support is not very good. In addition to not
granting PAGs, I've seen situations where it will check if AFS is
running, and if so, it attempts to convert the user's Kerberos 5
credential to a Kerberos 4 credential. This will time out because it
cannot find the Kerberos 4 KDCs (none exist). Logins were taking a
minute or more in these cases. Setting "ignore_afs" solved the
problem.
A second reason I want pam_afs_session in Fedora/RedHat is that the
newer authentication module, pam_sss, doesn't include AFS support, and
I have a feeling that it will not be high on the developers priority
list. At least a bug is filed https://fedorahosted.org/sssd/ticket/463
- Ken