Thanks mate. I use pam_afs_session and pam_krb5 this PAM module in the client. The user who is using NFS can log in sometime or cannot due to timeout. The client has to access NFS/OpenAFS both. So is there any method to fix that? I will paste the PAM configurations here.
/etc/pam.d/system-auth auth required pam_env.so auth sufficient pam_fprintd.so auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 500 quiet auth required pam_deny.so account required pam_unix.so account sufficient pam_localuser.so account sufficient pam_succeed_if.so uid < 500 quiet account required pam_permit.so password requisite pam_cracklib.so try_first_pass retry=3 type= password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok password required pam_deny.so session optional pam_keyinit.so revoke session required pam_limits.so -session optional pam_systemd.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so /etc/pam.d/password-auth auth required pam_env.so auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 500 quiet auth required pam_deny.so account required pam_unix.so account sufficient pam_localuser.so account sufficient pam_succeed_if.so uid < 500 quiet account required pam_permit.so password requisite pam_cracklib.so try_first_pass retry=3 type= password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok password required pam_deny.so session optional pam_keyinit.so revoke session required pam_limits.so -session optional pam_systemd.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so Obviously I'm using NFS/AFS mixed environment there. Eric On Mon, Oct 17, 2011 at 10:56 PM, Nalin Dahyabhai <[email protected]> wrote: > On Sun, Oct 16, 2011 at 07:32:28PM +0800, Lee Eric wrote: >> I'm very curious why the system is going to try afs there. I have >> defined the home dirs in NFS shares. > > Either pam_krb5 or pam_afs_session (or both) is attempting to set tokens > for the workstation's default cell, if there is one. > > Users who don't have their home directories in AFS can still be members > of groups who have access to data that unauthenticated users can't > access, so it's worth doing. > > HTH, > > Nalin > ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
