* Shadrach Smith [2016-06-30 17:10:45 +0000]: > Thanks Ben, > > I'm trying to setup afs and kerberos in a way that when the users log in, > they are automatically authenticated to kerberos and afs. > > I've tried different pam settings, and it doesn't seem like it is supposed to > be difficult.
Indeed I don't find it difficult. Maybe you could describe what it is that you've tried and in what ways it failed? Note that most PAM modules can be made to log their decisions verbosely when passed the "debug" option. > I do not have any central login servers, just linux clients using > /etc/passwd, kerberos and afs Is the intent that users should authenticate to the clients using their Kerberos credentials? The usual answer is "yes". If so, you'll need pam_krb5 or equivalent in your configuration. You'll almost certainly also want a host/f.q.d.n@REALM service principal for each client, with the corresponding keys stored in /etc/krb5.keytab; if you don't have this you may need additional configuration, the details of which depend on the pam_krb5 implementation (I'm not sure what CentOS 6.7 is using). If users are to log in using other, non-Kerberos, credentials (e.g., ssh public keys) you'll need to either prompt them for their Kerberos password or set up some other mechanism to get a TGT based on the authentication they did provide. > I'll check out k5start > > > Cheers, > > Shadrach > > ________________________________ > From: Benjamin Kaduk <ka...@mit.edu> > Sent: Thursday, June 30, 2016 11:58:42 AM > To: Shadrach Smith > Cc: openafs-info@openafs.org > Subject: Re: [OpenAFS] kinit/aklog auto-authenticate info > > On Wed, 29 Jun 2016, Shadrach Smith wrote: > > > I'm having trouble getting my users to auto authenticate (very necessary > > for openlava) > > Is there a good resource for this? I'm seeing a lot of different > > information and nothing appears definitive. > > centos 6.7, openafs 1.6.14-1, pam-afs-session-2.6 > > The question is a bit sparse on the actual details of what you want, but > the first thing I would point you at is Russ Allbery's k5start -- despite > the name, it can manage AFS tokens as well as kerberos tickets, starting > from keytab (preferred) or password. > > -Ben _______________________________________________ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info