SCIENTIFIC-LINUX-USERS Archives

January 2006

SCIENTIFIC-LINUX-USERS@LISTSERV.FNAL.GOV
Options: Use Monospaced Font
Show Text Part by Default
Show All Mail Headers

Message: [<< First] [< Prev] [Next >] [Last >>]
Topic: [<< First] [< Prev] [Next >] [Last >>]
Author: [<< First] [< Prev] [Next >] [Last >>]

Print Reply
Subject:
Re: Pam_krb5 and afs
From:
Troy Dawson <[log in to unmask]>
Reply To:
Troy Dawson <[log in to unmask]>
Date:
Tue, 31 Jan 2006 09:22:38 -0600
Content-Type:
text/plain
Parts/Attachments:
text/plain (101 lines) 
Hi,
Yes, here at Fermilab we saw this when we first switched to S.L. 4.x 
based linux.  I can't remember all the details, but in the end I found 
the following to work best for us.

         pam = {
                 debug = false
                 ticket_lifetime = 100000
                 renew_lifetime = 100000
                 forwardable = true
                 krb4_convert = true  # True gets AFS tokens
                 afs_cells = fnal.gov  # AFS token for right cell
                 ignore_afs = true
         }

Notice the "ignore_afs = true"
And then in /etc/profile.d we have

# cat /etc/profile.d/z_krb5.csh
set path = ( /usr/krb5/bin $path )
if ( `id -u` == 0 ) then
         set path = ( /usr/krb5/sbin $path )
endif
df --type=afs | grep -qi afs
if ( $? == 0 ) then
/usr/krb5/bin/klist -s > & /dev/null
if ( $? == 0 ) then
         aklog -setpag
endif
endif

# cat /etc/profile.d/z_krb5.sh
PATH=/usr/krb5/bin:${PATH}
if [ `id -u` = 0 ] ; then
         PATH=/usr/krb5/sbin:${PATH}
fi
df --type=afs | grep -qi afs
if [ $? -eq 0 ] ; then
/usr/krb5/bin/klist -s > /dev/null 2>&1
if [ $? -eq 0 ] ; then
         aklog -setpag
fi
fi

Now this is setting the default kerberos to be our kerberos, but, it is 
also checking to see if AFS is on, checking to make sure the user has a 
kerberos ticket (NOTE: for redhat's kerberos use a different check) and 
if those two things are true, it then does an aklog with the -setpag 
setting.
This has worked quite well ... and as an extra bonus, we no longer have 
afs token stealing when two people log into the same account.

The exact reason's why we had to do this, as I said I can't remember, 
but the details are on the afs-info mailling list I believe.

Troy

Hugo Meiland wrote:
> Hi all,
> 
> A quick question before I start bugging the dev list: I'm using SL4.2 as
> workstation and authenticate to a MIT kerberos5 server (no krb4 or 524
> services), and use a homedir on our afs cell; To enable this in SL, I use
> the pam_krb5 rpm, which is currently version 2.1.8-1. This works, except it
> takes about half a minute before the authentication is done, and I'm
> connected to my homedir.
> 
> Has anyone seens this on other sites? 
> 
> The problem seems to be in the pam_krb5 module which forces krb4 translation
> when using afs...
> 
> Some relevant info:
> -krb5.conf
> pam = {
>    debug = false
>    ticket_lifetime = 36000
>    renew_lifetime = 36000
>    forwardable = true
>    krb4_convert = false
>    krb4_get_tickets = false
>  }
> 
> - pam.d/system-auth
> auth sufficient /lib/security/$ISA/pam-krb5afs.so use_first_pass tokens (<-
> not sure about the file, but options are correct)
> 
> Thank you in advance!
> 
> Hugo Meiland,
> ICT Chemistry Department,
> Leiden University,
> The Netherlands


-- 
__________________________________________________
Troy Dawson  [log in to unmask]  (630)840-6468
Fermilab  ComputingDivision/CSS  CSI Group
__________________________________________________

ATOM RSS1 RSS2