No afs tokens after kdm login - workaround

Mon, 11 Jan 2010 15:17:50 -0800 

This is probably only relevant to people using kerberos/openafs for login
and home directories.  I would appreciate hearing from others who have run
into this particular problem.

Problem: after upgrading to kernel 2.6.18-164.9.1, no tokens after kdm
login, klist shows that we have tickets.  Running aklog manually gets us a
token, but we should already have one after logging in.

Tested on SL 5.2 and SL 5.4.

Setting debug=true in the pam section of appdefaults of /etc/krb5.conf
showed that 2 additional kerberos setups were being made, and that afs
tokens were being created and destroyed, so we were not ending up with a
token once logged into a kde session.

Some changes to the pam configurations for kdm and system-auth later, and we
have tokens again.

/etc/pam.d/kdm (commented out keyinit)

#%PAM-1.0
auth       include     system-auth
account    required    pam_nologin.so
account    include     system-auth
password   include     system-auth
# session    optional    pam_keyinit.so force revoke
session    include     system-auth
session    required    pam_loginuid.so
session    optional    pam_selinux.so
session    optional    pam_console.so


/etc/pam.d/system-auth  (commented out pam_krb5 in account and session)

#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      pam_env.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 500 quiet
auth        sufficient    pam_krb5afs.so use_first_pass
auth        required      pam_deny.so

account     required      pam_unix.so broken_shadow
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 500 quiet
# account     [default=bad success=ok user_unknown=ignore] pam_krb5.so
account     required      pam_permit.so

password    requisite     pam_cracklib.so try_first_pass retry=3
password    sufficient    pam_unix.so md5 shadow nullok try_first_pass
use_authtok
password    sufficient    pam_krb5.so use_authtok
password    required      pam_deny.so

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
session     [success=1 default=ignore] pam_succeed_if.so service in crond
quiet use_uid
session     required      pam_unix.so
# session     optional      pam_krb5.so

Reply via email to