Re: [OpenAFS] Solaris 10 (x86): pam_afs_session

Douglas E. Engert Fri, 25 Jan 2008 10:19:50 -0800


Russ Allbery wrote:

John Tang Boyland <[EMAIL PROTECTED]> writes:

] It looks like you're not running pam_krb5 in the session stack.  pam_krb5
] should be listed in the session stack before pam_afs_session, and that
] will probably fix the problem.

(BTW: This is Sun-provided pam_krb5)


Ah, hm.  I wonder if the Sun-provided pam_krb5 won't write out the ticket
cache during pam_open_session the way that mine will.

You may have to try Unix first and then try pam_krb5 so that you can put
pam_afs_session into the auth group.  Something like:

dtlogin   auth requisite          pam_authtok_get.so.1
dtlogin   auth required           pam_dhkeys.so.1
dtlogin   auth required           pam_unix_cred.so.1
dtlogin   auth sufficient         pam_unix_auth.so.1
dtlogin   auth required           pam_krb5.so.1
dtlogin   auth required           pam_afs_session.so.1


I believe you are correct. As a test I built the pam_afs_session-1.5
on Solaris 10, (sparc) using the Sun Kerberos, and OpenAFS 1.4.6
as I have been meaning to do this for some time to see if it could
replace pam_afs2. I  then modified /etc/pam.conf to call pam_afs_session
in a few places, (but not all yet) In all cases it is using the pam_sm_setcred
routine to set pag and/or get a token.

#DEE smartcard failed, so skip it for now
#dtlogin    auth requisite      pam_smartcard.so.1
dtlogin     auth requisite      pam_authtok_get.so.1
dtlogin     auth required       pam_dhkeys.so.1
dtlogin     auth required       pam_unix_cred.so.1
dtlogin     auth optional       pam_krb5.so.1
dtlogin     auth required       /krb5/lib/pam_afs_session.so.1 debug
#dtlogin        auth required       /krb5/lib/pam_afs2.so.1
# allows password login
dtlogin     auth optional       pam_unix_auth.so.1

#
# dtsession - lock/unlock screen, refresh creds and AFS token
#
dtsession   auth requisite      pam_authtok_get.so.1
dtsession   auth required       pam_dhkeys.so.1
dtsession   auth optional       pam_krb5.so.1
dtsession   auth required       /krb5/lib/pam_afs_session.so.1 debug
#dtsession  auth required       /krb5/lib/pam_afs2.so.1 nopag
# allows unlock with local password
dtsession   auth optional       pam_unix_auth.so.1

#
# xscreensaver used by gnome or CDE
#
xscreensaver    auth requisite      pam_authtok_get.so.1
xscreensaver    auth required       pam_dhkeys.so.1
xscreensaver    auth optional       pam_krb5.so.1
xscreensaver    auth required       /krb5/lib/pam_afs_session.so.1 debug
#xscreensaver    auth required      /krb5/lib/pam_afs2.so.1  nopag
# allows unlock with local password
xscreensaver    auth optional       pam_unix_auth.so.1
#


Alternately, you can use my pam-krb5 module, which will write out the
ticket cache during open_session.


--

 Douglas E. Engert  <[EMAIL PROTECTED]>
 Argonne National Laboratory
 9700 South Cass Avenue
 Argonne, Illinois  60439
 (630) 252-5444
_______________________________________________
OpenAFS-info mailing list
[email protected]
https://lists.openafs.org/mailman/listinfo/openafs-info

Re: [OpenAFS] Solaris 10 (x86): pam_afs_session

Reply via email to