[OpenAFS] Getting pam configured for RHEL 7

Garance A Drosehn drosih@rpi.edu
Tue, 28 Jul 2015 19:27:17 -0400 

On 6 Apr 2015, in the thread "Any preference for RHEL file servers",
     Brandon Allbery wrote:

> On Mon, 2015-04-06 at 14:36 +0000, Kieffer, Catherine wrote:
>> I just downloaded and installed the openafs-1.6.11-1.src.rpm source
>> RPM.  It didn't put it into /usr/src but into /root/rpmbuild.  [...]
>
> rpmbuild -ba /root/rpmbuild/SPECS/openafs.spec

Well, I have a RHEL 7 system built with openafs-1.6.12 rpm's installed.
I seem to have most things figured out and working okay (at least for
a working afs-client), except I have no idea how to get pam working
right for afs logins.

If I 'authconfig --update --enableldapauth', then I can login okay,
except that I have no access to my home directory.  But if I then do:
    klog   && LOGIN_SHELL=true exec bash

then my session will startup with the appropriate access to whatever
files I try to access in my AFS cell.  Of course the token is then
tied to the userid instead of a PAG shell, so it remains in effect
after I log out.  And if I log back in before the token expires,
then I do have access right from the login, and don't have to do the
extra step of klog && bash.

I expect I shouldn't be doing ldap-auth, but what should I be doing?

I'm certainly no expert in pam, and what I did know seems to have
changed in RHEL 7.  So I am probably missing something which should
be obvious to me.  But I don't see how to configure pam for afs.

I did the rpmbuild step, and so far I've installed
   openafs-client-1.6.12-1.el7.x86_64.rpm
   openafs-1.6.12-1.el7.x86_64.rpm
   openafs-docs-1.6.12-1.el7.x86_64.rpm
   kmod-openafs-1.6.12-1.3.10.0_229.7.2.el7.x86_64.rpm

I can see that these files are installed:
   /lib64/security/pam_afs.krb.so
   /lib64/security/pam_afs.krb.so.1
   /lib64/security/pam_afs.so
   /lib64/security/pam_afs.so.1

But if I edit /etc/pam.d/system-auth like I did on earlier RHEL's,
I see:
   # This file is auto-generated.
   # User changes will be destroyed the next time authconfig is run.

So that makes me a bit uneasy.  And if I ignore that and modify
pam.d/system-auth in ways similar to what I used to do (by adding
lines for 'pam_afs.krb.so'), then I can't login to my afs accounts.
(well, I can if I leave ldap-auth enabled, but not if I disable it).

Also note that our AFS cell is old enough that we're still using the
older kaserver (krb4), not the more modern kerberos5-based setup.
On our older systems (which were not setup by me), system-auth is
configured to use pam_krb5afs.so, so I assume pam_afs.krb.so is the
right pam-module to use.

-- 
Garance Alistair Drosehn                =     drosih@rpi.edu
Senior Systems Programmer               or   gad@FreeBSD.org
Rensselaer Polytechnic Institute;             Troy, NY;  USA