[OpenAFS] rhel6 64bit pam_afs_session
Wed, 08 Jun 2011 11:25:12 -0700
RHEL6 has been out for a while now so I thought it about time to start testing
AFS there and plan upgrading our servers. All the AFS server and client bits
(1.4.14) work just fine. The one missing piece is pam_afs_session.
A bit of background: the main hurdle to overcome was that nss-ldap doesn't seem
to be available in any default repositories for RHEL6. So instead I am using
SSSD for both LDAP user info and Kerberos authentication. All the underlying
pieces seem to be working - id <username>, kinit, aklog - all those work and I
can then access AFS correctly.
However, when I login via SSH as a user with a home directory on AFS,
pam_afs_session does not seem to be working. I get permission denied on my home
directory. But klist shows that I have a kerberos ticket, aklog works to get
tokens, and then I can access AFS just fine.
I configured pam_sss and pam_afs_session essentially the same way as on RHEL5.
Here is the snip from /etc/pam.d/system-auth:
auth [success=ok default=1] pam_sss.so use_first_pass
auth [default=done] pam_afs_sessino.so
session optional pam_sss.so
session required pam_afs_session.so
And even if I add the "debug" option to pam_afs_session.so, there is never any
mention of it in /var/log/secure when I try to login.
Does anyone have experience with 64-bit RHEL6? I found that I had to configure
pam_afs_session with --libdir=/lib64 otherwise I would get "file not found"
errors in /var/log/secure.
./configure --prefix=/usr --libdir=/lib64
At this point, I'm not sure how to determine which piece of the puzzle is
Thanks in advance for any tips!
School of Social Sciences
SSPA 4110 | 949.824.1536