] Russ Allbery wrote: ] > John Tang Boyland <[EMAIL PROTECTED]> writes: ] > ] >> ] It looks like you're not running pam_krb5 in the session stack. pam_krb5 ] >> ] should be listed in the session stack before pam_afs_session, and that ] >> ] will probably fix the problem. ] >> ] >> (BTW: This is Sun-provided pam_krb5) ] > ] > Ah, hm. I wonder if the Sun-provided pam_krb5 won't write out the ticket ] > cache during pam_open_session the way that mine will. ] > ] > You may have to try Unix first and then try pam_krb5 so that you can put ] > pam_afs_session into the auth group. Something like: ] > ] > dtlogin auth requisite pam_authtok_get.so.1 ] > dtlogin auth required pam_dhkeys.so.1 ] > dtlogin auth required pam_unix_cred.so.1 ] > dtlogin auth sufficient pam_unix_auth.so.1 ] > dtlogin auth required pam_krb5.so.1 ] > dtlogin auth required pam_afs_session.so.1 ] ] I believe you are correct. As a test I built the pam_afs_session-1.5 ] on Solaris 10, (sparc) using the Sun Kerberos, and OpenAFS 1.4.6 ] as I have been meaning to do this for some time to see if it could ] replace pam_afs2. I then modified /etc/pam.conf to call pam_afs_session ] in a few places, (but not all yet) In all cases it is using the pam_sm_setcred ] routine to set pag and/or get a token. ] ] #DEE smartcard failed, so skip it for now ] #dtlogin auth requisite pam_smartcard.so.1 ] dtlogin auth requisite pam_authtok_get.so.1 ] dtlogin auth required pam_dhkeys.so.1 ] dtlogin auth required pam_unix_cred.so.1 ] dtlogin auth optional pam_krb5.so.1 ] dtlogin auth required /krb5/lib/pam_afs_session.so.1 debug ] #dtlogin auth required /krb5/lib/pam_afs2.so.1 ] # allows password login ] dtlogin auth optional pam_unix_auth.so.1 ] ] # ] # dtsession - lock/unlock screen, refresh creds and AFS token ] # ] dtsession auth requisite pam_authtok_get.so.1 ] dtsession auth required pam_dhkeys.so.1 ] dtsession auth optional pam_krb5.so.1 ] dtsession auth required /krb5/lib/pam_afs_session.so.1 debug ] #dtsession auth required /krb5/lib/pam_afs2.so.1 nopag ] # allows unlock with local password ] dtsession auth optional pam_unix_auth.so.1 ] ] # ] # xscreensaver used by gnome or CDE ] # ] xscreensaver auth requisite pam_authtok_get.so.1 ] xscreensaver auth required pam_dhkeys.so.1 ] xscreensaver auth optional pam_krb5.so.1 ] xscreensaver auth required /krb5/lib/pam_afs_session.so.1 debug ] #xscreensaver auth required /krb5/lib/pam_afs2.so.1 nopag ] # allows unlock with local password ] xscreensaver auth optional pam_unix_auth.so.1 ] # ] ] -- ] ] Douglas E. Engert <[EMAIL PROTECTED]> ] Argonne National Laboratory ] 9700 South Cass Avenue ] Argonne, Illinois 60439 ] (630) 252-5444
Sorry, I finally have time to reply to this. I tried both suggestions but neither worked. It still writes out the kerberos token after calling pam_afs_session. This is specific to dtlogin, sshd does fine. The workaround to log in twice: first in failsafe session, immediately log out, and then log in using the normal session. John _______________________________________________ OpenAFS-info mailing list [email protected] https://lists.openafs.org/mailman/listinfo/openafs-info
