I use kerberos 5 setup with openafs. Because Gentoo version of pam_krb5 does not incorporate the options used for getting AFS tokens, the pam_afs_session is required. However, this module does not seem to cooperate with pam unless the nopag option is used, which compromises security. ========= :~> emerge --info Portage 2.1.9.25 (default/linux/x86/10.0/desktop, gcc-4.4.5, glibc-2.11.2-r3, 2.6.36-gentoo-r5 i686) ================================================================= System uname: Linux-2.6.36-gentoo-r5-i686-Intel-R-_Xeon-R-_CPU_E5345_@_2.33GHz-with-gentoo-1.12.14 Timestamp of tree: Mon, 28 Feb 2011 14:30:01 +0000 ccache version 2.4 [enabled] app-shells/bash: 4.1_p9 dev-java/java-config: 2.1.11-r3 dev-lang/python: 2.6.6-r2, 3.1.3-r1 dev-util/ccache: 2.4-r9 dev-util/cmake: 2.8.1-r2 sys-apps/baselayout: 1.12.14-r1 sys-apps/sandbox: 2.4 sys-devel/autoconf: 2.13, 2.65-r1 sys-devel/automake: 1.9.6-r3, 1.10.3, 1.11.1 sys-devel/binutils: 2.20.1-r1 sys-devel/gcc: 4.4.5 sys-devel/gcc-config: 1.4.1 sys-devel/libtool: 2.2.10 sys-devel/make: 3.81-r2 virtual/os-headers: 2.6.36.1 (sys-kernel/linux-headers) ACCEPT_KEYWORDS="x86" ACCEPT_LICENSE="* -@EULA" CBUILD="i686-pc-linux-gnu" CFLAGS="-O2 -march=prescott -pipe" CHOST="i686-pc-linux-gnu" CONFIG_PROTECT="/etc /var/lib/hsqldb" CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/env.d/java/ /etc/fonts/fonts.conf /etc/gconf /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo /etc/texmf/language.dat.d /etc/texmf/language.def.d /etc/texmf/updmap.d /etc/texmf/web2c" CXXFLAGS="-O2 -march=prescott -pipe" DISTDIR="/usr/portage/distfiles" FEATURES="assume-digests binpkg-logs candy ccache distlocks fixlafiles fixpackages news parallel-fetch protect-owned sandbox sfperms strict unknown-features-warn unmerge-logs unmerge-orphans" GENTOO_MIRRORS="http://distfiles.gentoo.org" LANG="en_US" LC_ALL="en_US" LDFLAGS="-Wl,-O1 -Wl,--as-needed" LINGUAS="en" MAKEOPTS="-j9" PKGDIR="/usr/portage/packages" PORTAGE_CONFIGROOT="/" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" SYNC="rsync://rsync.gentoo.org/gentoo-portage" USE="X a52 aac acl acpi afs alsa berkdb branding bzip2 cairo cdr cli consolekit cracklib crypt cups cxx dbus dri dts dvd dvdr emacs emboss encode exif fam firefox flac foomaticdb fortran gcj gdbm gdu gif gpm gtk iconv ieee1394 imagemagick jpeg kerberos latex lcms libnotify lock mad mikmod mng modules mp3 mp4 mpeg mudflap ncurses nis nls nptl nptlonly ogg opengl openmp pam pango pcre pdf perl pic png policykit ppds pppd python qt3support qt4 readline sasl sdl session spell ssl startup-notification svg sysfs tcpd thunar tiff truetype udev unicode usb vorbis x264 x86 xcb xml xorg xscreensaver xulrunner xv xvid zlib" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1 emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mmap_emul mulaw multi null plug rate route share shm softvol" APACHE2_MODULES="actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache cgi cgid dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" CAMERAS="ptp2" COLLECTD_PLUGINS="df interface irq load memory rrdtool swap syslog" ELIBC="glibc" GPSD_PROTOCOLS="ashtech aivdm earthmate evermore fv18 garmin garmintxt gpsclock itrax mtk3301 nmea ntrip navcom oceanserver oldstyle oncore rtcm104v2 rtcm104v3 sirf superstar2 timing tsip tripmate tnt ubx" INPUT_DEVICES="evdev wacom" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LINGUAS="en" PHP_TARGETS="php5-3" RUBY_TARGETS="ruby18" USERLAND="GNU" VIDEO_CARDS="nvidia vesa" XTABLES_ADDONS="quota2 psd pknock lscan length2 ipv4options ipset ipp2p iface geoip fuzzy condition tee tarpit sysrq steal rawnat logmark ipmark dhcpmac delude chaos account" Unset: CPPFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, FFLAGS, INSTALL_MASK, PORTAGE_BUNZIP2_COMMAND, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS, PORTDIR_OVERLAY ======== :~> cat /etc/krb5.conf [libdefaults] default_realm = CABI.RFMH.ORG dns_lookup_realm = false dns_lookup_kdc = false ticket_lifetime = 24h forwardable = true allow_weak_crypto = true [realms] CABI.RFMH.ORG = { kdc = gozer.rfmh.org kdc = inara.rfmh.org kdc = hathor.rfmh.org master_kdc = gozer.rfmh.org admin_server = gozer.rfmh.org default_domain = rfmh.org } [domain_realm] .rfmh.org = CABI.RFMH.ORG rfmh.org = CABI.RFMH.ORG [logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [appdefaults] debug = true ======== :~> cat /etc/pam.d/system-auth auth required pam_env.so auth sufficient pam_krb5.so ignore_root auth optional pam_afs_session.so program=/usr/bin/aklog nopag auth sufficient pam_unix.so try_first_pass likeauth nullok auth optional pam_permit.so account sufficient pam_krb5.so ignore_root account required pam_unix.so account optional pam_permit.so password required pam_cracklib.so difok=2 minlen=8 dcredit=2 ocredit=2 retry=3 password sufficient pam_krb5.so use_authtok ignore_root password sufficient pam_unix.so use_authtok nullok sha512 shadow password optional pam_permit.so session required pam_limits.so session required pam_env.so session optional pam_krb5.so ignore_root session required pam_afs_session.so program=/usr/bin/aklog nopag session required pam_unix.so session optional pam_permit.so Reproducible: Always
I should have included the versions: * net-fs/openafs Latest version available: 1.4.14-r1 Latest version installed: 1.4.14-r1 * net-fs/openafs-kernel Latest version available: 1.4.14 Latest version installed: 1.4.14 * sys-auth/pam-afs-session Latest version available: 1.6 Latest version installed: 1.6
removing.