We're still using the old afs kas server at our university, and it took a
while to figure out what was going on. I've had no problems with the pam
module included in the open afs source distribution for solaris and with
sshd using pam. But with redhat linux I ran into some issues. pam was
giving back PAM_REINITIALIZE_CRED... but if you look at the code in
afs_setcred.c in the src/pam directory.. that code just returns back a
success message and no tokens. Had to modify the code to get tokens...
You would think that "reinitialize" would mean to reinitilize the
credentials and get tokens... but maybe it was done that way for a reason?
line 189 comment out these lines:
// } else if (flags & PAM_REINITIALIZE_CRED) {
// if (logmask && LOG_MASK(LOG_DEBUG))
// pam_afs_syslog(LOG_DEBUG, PAMAFS_REINITCRED, user);
// RET(PAM_SUCCESS);
insert these lines at about 305 or so:
if (flags & PAM_REINITIALIZE_CRED) {
if (use_klog)
auth_ok = !do_klog(user, password, NULL, cell_ptr);
else {
if (ka_UserAuthenticateGeneral(KA_USERAUTH_VERSION, user,
/* kerberos name */
NULL, /* instance */
cell_ptr, /* realm
*/
password, /*
password */
0, /* default
lifetime */
&password_expires, 0, /*
spare 2 */
&reason /* error string */
)) {
pam_afs_syslog(LOG_ERR, PAMAFS_LOGIN_FAILED, user,
reason);
} else {
auth_ok = 1;
}
}
}
