Help: User login problems in NFS4 + Kerberos integration

Lee Eric openlinuxsource at gmail.com
Mon Oct 17 11:26:52 EDT 2011 

Thanks mate. I use pam_afs_session and pam_krb5 this PAM module in the
client. The user who is using NFS can log in sometime or cannot due to
timeout. The client has to access NFS/OpenAFS both. So is there any
method to fix that? I will paste the PAM configurations here.

/etc/pam.d/system-auth

auth        required      pam_env.so
auth        sufficient    pam_fprintd.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 500 quiet
auth        required      pam_deny.so

account     required      pam_unix.so
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 500 quiet
account     required      pam_permit.so

password    requisite     pam_cracklib.so try_first_pass retry=3 type=
password    sufficient    pam_unix.so sha512 shadow nullok
try_first_pass use_authtok
password    required      pam_deny.so

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
-session     optional      pam_systemd.so
session     [success=1 default=ignore] pam_succeed_if.so service in
crond quiet use_uid
session     required      pam_unix.so

/etc/pam.d/password-auth

auth        required      pam_env.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 500 quiet
auth        required      pam_deny.so

account     required      pam_unix.so
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 500 quiet
account     required      pam_permit.so

password    requisite     pam_cracklib.so try_first_pass retry=3 type=
password    sufficient    pam_unix.so sha512 shadow nullok
try_first_pass use_authtok
password    required      pam_deny.so

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
-session     optional      pam_systemd.so
session     [success=1 default=ignore] pam_succeed_if.so service in
crond quiet use_uid
session     required      pam_unix.so

Obviously I'm using NFS/AFS mixed environment there.

Eric

On Mon, Oct 17, 2011 at 10:56 PM, Nalin Dahyabhai <nalin at redhat.com> wrote:
> On Sun, Oct 16, 2011 at 07:32:28PM +0800, Lee Eric wrote:
>> I'm very curious why the system is going to try afs there. I have
>> defined the home dirs in NFS shares.
>
> Either pam_krb5 or pam_afs_session (or both) is attempting to set tokens
> for the workstation's default cell, if there is one.
>
> Users who don't have their home directories in AFS can still be members
> of groups who have access to data that unauthenticated users can't
> access, so it's worth doing.
>
> HTH,
>
> Nalin
>

More information about the Kerberos mailing list