[OpenAFS] pam_afs_session in Fedora?
Andy Cobaugh
phalenor@gmail.com
Fri, 18 Feb 2011 14:44:51 -0500 (EST)
This message is in MIME format. The first part should be readable text,
while the remaining parts are likely unreadable without MIME-aware tools.
--168428801-1505450428-1298058292=:7978
Content-Type: TEXT/PLAIN; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 8BIT
On 2011-02-18 at 12:33, Ken Dreyer ( ktdreyer@ktdreyer.com ) said:
> On Fri, Feb 18, 2011 at 12:19 PM, Brandon S Allbery KF8NH
> <allbery.b@gmail.com> wrote:
>> On 2/18/11 14:14 , Andy Cobaugh wrote:
>>> Just curious why you're not just using the stock pam_krb5? At least in a
>>> plain jane krb5 environment, pam_krb5 has worked fine for us (though I
>>> haven't tried very recent Fedora).
>>
>> There are programs which don't do PAM right; in particular, they run
>> pam_krb5 in root's context instead of the user's context, which worst-case
>> results in a UID-based (no PAG) root token and no user token. This works
>> fine with krb5 if they do it right, but the token is a side effect that
>> can't be corrected in the session module.
>
> Right, I want PAG support and the other benefits of pam_afs_session.
>
> RedHat's pam_krb5's AFS support is not very good. In addition to not
> granting PAGs, I've seen situations where it will check if AFS is
> running, and if so, it attempts to convert the user's Kerberos 5
> credential to a Kerberos 4 credential. This will time out because it
> cannot find the Kerberos 4 KDCs (none exist). Logins were taking a
> minute or more in these cases. Setting "ignore_afs" solved the
> problem.
I can log in with pam_krb5, and I get put in a keyring-based PAG. I do see
that the krb4_* options are no longer available in f14.
In any event, would definitely welcome pam_afs_session in EPEL, at least
our PAM configurations would be somewhat similar across platforms.
--andy
--168428801-1505450428-1298058292=:7978--