[OpenAFS] rhel6 64bit pam_afs_session

Jonathan Nilsson jnilsson@uci.edu
Wed, 08 Jun 2011 11:25:12 -0700


Hello list,

RHEL6 has been out for a while now so I thought it about time to start testing 
AFS there and plan upgrading our servers. All the AFS server and client bits 
(1.4.14) work just fine. The one missing piece is pam_afs_session.

A bit of background: the main hurdle to overcome was that nss-ldap doesn't seem 
to be available in any default repositories for RHEL6. So instead I am using 
SSSD for both LDAP user info and Kerberos authentication. All the underlying 
pieces seem to be working - id <username>, kinit, aklog - all those work and I 
can then access AFS correctly.

However, when I login via SSH as a user with a home directory on AFS, 
pam_afs_session does not seem to be working. I get permission denied on my home 
directory. But klist shows that I have a kerberos ticket, aklog works to get 
tokens, and then I can access AFS just fine.

I configured pam_sss and pam_afs_session essentially the same way as on RHEL5. 
Here is the snip from /etc/pam.d/system-auth:

auth [success=ok default=1] pam_sss.so use_first_pass
auth [default=done] pam_afs_sessino.so
...
session optional pam_sss.so
session required pam_afs_session.so

And even if I add the "debug" option to pam_afs_session.so, there is never any 
mention of it in /var/log/secure when I try to login.

Does anyone have experience with 64-bit RHEL6? I found that I had to configure 
pam_afs_session with --libdir=/lib64 otherwise I would get "file not found" 
errors in /var/log/secure.

./configure --prefix=/usr --libdir=/lib64

At this point, I'm not sure how to determine which piece of the puzzle is 
broken/missing.

Thanks in advance for any tips!

-- 
Jonathan.Nilsson@uci.edu
Computing Services
School of Social Sciences
SSPA 4110 | 949.824.1536