[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: missing functionality in pam_krb5 ?



2002-07-30, k keltezéssel Wolfgang Friebel ezt írta:
> I am using Balazs GAL's pam_krb5-1_56-1-heimdal-1_2-2.tar.gz pam
> implementation for use with Heimdal and OpenAFS.

Thanks to use our (oooo, well Nalins's) pam_krb5 implementation.

> 1) obtain a new or refreshed K5 TGT (optionally a K4 one as well)
> 2) obtain a new AFS token.
> 
> As no new session is started, I would expect to have updated the original
> ticket caches and calling setpag has to be avoided.

Ok. I will add a "refresh_credentials" like pam command line option.
With this you can refresh the krb5/krb4 and afs tokens too.

> As xlock is not calling pam_sm_setcred, it has to be forced by setting
> the pam option tokens (or get_tokens or force_cred). Even then
> pam_sm_setcred is not called, because in line 1949 of pam_krb5afs.c the
> variable stash->have_v4_creds is not set:
> 
>     if (RC_OK && config->setcred && stash->have_v4_creds) {
> This variable would get set in the preceding block, which is executed
> only if config->native_krb4_tgt is true (this is not the case).

Thanks, this is a bug.

> Even after stash->have_v4_creds is set then the unconditional setpag call
> around line 2407 is preventing the AFS token to persist.

I looked into the openafs's pam module and i think we need to use
the curpag() function from it. I need to read the IMB Public Licence
because pam_krb5 was released under GPL.

> Did I miss something or was this functionality left out on purpose?

No. I will reenginer it tomorrow.

Thanks to the correct feature request and bug report.

balsa