On 05/31/00 10:24:54 +0100 Paul Blackburn <[EMAIL PROTECTED]> wrote:
+-----
| Has anyone tried to get AFS authentication and obtaining a PAG
| directly at Linux XDM login window?
|
| What needs to be done to make this work?
+--->8
xdm has to be thrown out and replaced with something that implements PAM
properly.
Basically, xdm calls the pam_session stuff at the wrong time; the result
being that the PAG is acquired at the wrong place. KDE's kdm, being an xdm
derivative, has the same problem. (GNOME's gdm, having been written from
the ground up with PAM support in mind, does the right thing.)
A large part of the problem is that PAM wasn't really designed to cope with
network authentication, so nobody uses it in ways that make it work with
AFS (and in many case not even for Kerberos, although the recent
incorporation of krb5 into Red Hat means RH has been fixing this part of
it). Note that even RH bailed on fixing xdm, which also does the wrong
thing for Kerberos (symptom: ticket file owned by root instead of the
authenticated user).
I attempted to patch xdm to do the right thing with PAM but couldn't get it
to work properly, and eventually fell back to adding KTH-Krb4 support to it
until we could switch to something saner than xdm.
--
brandon s. allbery [os/2][linux][solaris][japh] [EMAIL PROTECTED]
system administrator [WAY too many hats] [EMAIL PROTECTED]
electrical & computer engineering KF8NH
carnegie mellon university ["better check the oblivious first" -ke6sls]
