[OpenAFS] Getting pam configured for RHEL 7
Garance A Drosehn
Tue, 28 Jul 2015 19:27:17 -0400
On 6 Apr 2015, in the thread "Any preference for RHEL file servers",
Brandon Allbery wrote:
> On Mon, 2015-04-06 at 14:36 +0000, Kieffer, Catherine wrote:
>> I just downloaded and installed the openafs-1.6.11-1.src.rpm source
>> RPM. It didn't put it into /usr/src but into /root/rpmbuild. [...]
> rpmbuild -ba /root/rpmbuild/SPECS/openafs.spec
Well, I have a RHEL 7 system built with openafs-1.6.12 rpm's installed.
I seem to have most things figured out and working okay (at least for
a working afs-client), except I have no idea how to get pam working
right for afs logins.
If I 'authconfig --update --enableldapauth', then I can login okay,
except that I have no access to my home directory. But if I then do:
klog && LOGIN_SHELL=true exec bash
then my session will startup with the appropriate access to whatever
files I try to access in my AFS cell. Of course the token is then
tied to the userid instead of a PAG shell, so it remains in effect
after I log out. And if I log back in before the token expires,
then I do have access right from the login, and don't have to do the
extra step of klog && bash.
I expect I shouldn't be doing ldap-auth, but what should I be doing?
I'm certainly no expert in pam, and what I did know seems to have
changed in RHEL 7. So I am probably missing something which should
be obvious to me. But I don't see how to configure pam for afs.
I did the rpmbuild step, and so far I've installed
I can see that these files are installed:
But if I edit /etc/pam.d/system-auth like I did on earlier RHEL's,
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
So that makes me a bit uneasy. And if I ignore that and modify
pam.d/system-auth in ways similar to what I used to do (by adding
lines for 'pam_afs.krb.so'), then I can't login to my afs accounts.
(well, I can if I leave ldap-auth enabled, but not if I disable it).
Also note that our AFS cell is old enough that we're still using the
older kaserver (krb4), not the more modern kerberos5-based setup.
On our older systems (which were not setup by me), system-auth is
configured to use pam_krb5afs.so, so I assume pam_afs.krb.so is the
right pam-module to use.
Garance Alistair Drosehn = email@example.com
Senior Systems Programmer or gad@FreeBSD.org
Rensselaer Polytechnic Institute; Troy, NY; USA