> I finally got around to doing a proper fix for these issues. Nice :-)
> 1. pam_krb5 was basically doing 'fs whichcell /afs' to determine the name > of the local cell. So if you had dynroot enabled it wanted to obtain > tokens in a cell named 'dynroot'. I changed it to do the equivalent of 'fs > wscell' instead. Yes. > 2. pam_krb5 only tries to get tokens for the local cell by default. I > changed it to also try to get tokens in the cell containing the user's > home directory, if different than the local cell. Are you looking at TheseCells in configdir and $HOME/.TheseCells? > 3. pam_krb5 needs to know which Kerberos realm to use to obtain the AFS > service ticket. It basically uses the following procedure: > > fs whereis /afs/cell.name > > look up the DNS names of the file servers for /afs/cell.name > > use krb5_get_host_realm() on these DNS names to get the matching > Kerberos realm That is tricky but I doubt if this is the right strategy. What if your root.cell is in 2 different realms? (openafs.org was like that for a while) I think you have to go with the local realm of the workstation (DNS or krb5.conf) and if there is neither [EMAIL PROTECTED] nor afs/[EMAIL PROTECTED] I think you may as well give up. You may want to try afs/[EMAIL PROTECTED] as a last way out. > 4. Not all of the debugging statements in pam_krb5 were active, even when > 'debug' was specified in the pam configuration files. Some of the > debugging statements that didn't work were instrumental in figuring out > what was wrong with the above problems. Good. I never succeded in debugging PAM myself before. > 5. I also packaged the 'afs5log' program. This is included with the source > code of pam_krb5, and basically does the same thing as 'aklog', except > using Red Hat's own AFS code instead of the actual AFS libraries. > It's useful for debugging purposes since it acts mostly identically to > pam_krb5. Ah. (I cut openafs-info from the recipients because this does not fit "info"). Harald. _______________________________________________ OpenAFS-devel mailing list [email protected] https://lists.openafs.org/mailman/listinfo/openafs-devel
