On Fri, Feb 18, 2011 at 12:19 PM, Brandon S Allbery KF8NH <[email protected]> wrote: > On 2/18/11 14:14 , Andy Cobaugh wrote: >> Just curious why you're not just using the stock pam_krb5? At least in a >> plain jane krb5 environment, pam_krb5 has worked fine for us (though I >> haven't tried very recent Fedora). > > There are programs which don't do PAM right; in particular, they run > pam_krb5 in root's context instead of the user's context, which worst-case > results in a UID-based (no PAG) root token and no user token. This works > fine with krb5 if they do it right, but the token is a side effect that > can't be corrected in the session module.
Right, I want PAG support and the other benefits of pam_afs_session. RedHat's pam_krb5's AFS support is not very good. In addition to not granting PAGs, I've seen situations where it will check if AFS is running, and if so, it attempts to convert the user's Kerberos 5 credential to a Kerberos 4 credential. This will time out because it cannot find the Kerberos 4 KDCs (none exist). Logins were taking a minute or more in these cases. Setting "ignore_afs" solved the problem. A second reason I want pam_afs_session in Fedora/RedHat is that the newer authentication module, pam_sss, doesn't include AFS support, and I have a feeling that it will not be high on the developers priority list. At least a bug is filed https://fedorahosted.org/sssd/ticket/463 - Ken _______________________________________________ OpenAFS-info mailing list [email protected] https://lists.openafs.org/mailman/listinfo/openafs-info
