[OpenAFS] Re: Help: Can OpenSSH get OpenAFS token after the client login?

[Lee Eric]

Thanks mate. Here's the /etc/pam.d/sshd file contents, could you tell
me which part I can add pam_afs_session module?

Thanks very much.

Eric

On Sat, Jun 11, 2011 at 9:05 PM, Jason Edgecombe
<jason@rampaginggeek.com> wrote:
> On 06/11/2011 08:31 AM, Lee Eric wrote:
>>
>> Hi,
>>
>> The systems are using Fedora 14 and the systems can log in each other
>> by using Kerberos. But it seems after OpenSSH login the client side
>> cannot get the OpenAFS token. So is there any way to let the client
>> side get the OpenAFS token after login? Just a guessing, could I use
>> pam_afs_session in /etc/pam.d/sshd to do this?
>>
>>
>> [root@client1 ~]# kinit huli
>> Password for huli@HERDINGCAT.INTERNAL:
>> [root@client1 ~]# ssh huli@submit.herdingcat.internal
>> Last login: Sat Jun 11 08:30:24 2011 from client1.herdingcat.internal
>> Could not chdir to home directory /afs/herdingcat.internal/home/huli:
>> Permission denied
>> -bash: /afs/herdingcat.internal/home/huli/.bash_profile: Permission deni=
ed
>> -bash-4.1$
>
> yes, pam_afs_session can do that.
>
> In addition, for single sign-on to work, the remote machine must have a h=
ost
> keytab installed and put the following in your local ssh config
> (/etc/ssh/ssh_config or ~/.ssh/config):
>
> =A0 =A0GSSAPIAuthentication yes
> =A0 =A0GSSAPIDelegateCredentials yes
>
> Jason
>