Heimdal, OpenAFS and Linux PAM


We are in the process of implementing an OpenAFS cell in our laboratory.
The impression we got from various sources was that the way to go nowadays
is with Heimdal as the authentication service, so we chose that. Some
Kerberos implementation was practically dictated since the user database
is in LDAP anyway and using Kerberos as authentication then automatically
gives us SASL authentication to LDAP, which we have lacked previously.

Now that everything is up and running, we are experiencing a few
minor problems. Two of these seem to be related to Heimdal.

First, there seems to be no good PAM module to authenticate against
Heimdal, set the AFS PAG and get the AFS token. What would you suggest? We
have had the best results with RedHat's pam_krb5.so, but it does not seem
to set the PAG at all. That's not nice: it forces us to open our AFS home
directories for world list access since we cannot let sshd (and others)
have an AFS ticket. If they have, the user's ticket replaces the daemon's
ticket and user's unlog removes the daemon's ticket, too. Obviously, they
share the PAG.

Second, kinit does not seem to set PAG either: doing kinit in an xterm
changes the tokens of another shell in another xterm with a different
KRB5CCNAME. Is this intentional or have I misconfigured something? I have
not noticed any krb5.conf option which would enforce a call to k_setpag()
or make kinit do pagsh first.

The first question is the more pressing one. Not being able to use
different privileges in different shells under the same parent (X,
obviously) is only a concern for those of us who have a /admin instance.
The rest of us just have one principal so they cannot run into this
problem. Besides the workaround is "ssh localhost" in one of the said
shells, so it really is not a big one. I just thought that Heimdal was
smarter since its AFS integration was praised everywhere.


                | Juha Jykk, juolja@utu.fi			|
		| Laboratory of Theoretical Physics		|
		| Department of Physics, University of Turku	|
                | home: http://www.utu.fi/~juolja/              |
