We have some sort of problem with converting v5 creds to v4 ones here. I haven't worried about it too much, because we don't really need them, or at least care about getting them at login. So, I have "krb4_convert = false". The AFS code in pam_krb5 seems to ignore this setting entirely -- if AFS is detected, it tries for 50 seconds before timing out. With Red Hat Linux 9, I worked around this by simply using pam_krb5 instead of pam_krb5afs. But now, these aren't separate binaries, and there appears to be no way to disable AFS. I don't actually *need* the pam module to be messing with AFS, and would like to tell it to stop. Obviously, it'd be nice to get the actual problem we have with v4 conversion fixed. But additionally, the pam_krb5 module ought to do what it is told.
Created attachment 101538 [details] adds "ignore_afs" flag This patch adds an "ignore_afs" flag. If that is set to true in /etc/krb5.conf, the PAM module skips its AFS detection routines and doesn't reenable krb4_convert or attempt to get AFS credentials.
I checked with the people who run the AFS and kerberos servers here, and basically, our 5 and 4 servers are entirely separate, and so 5-to-4 just doesn't work. AFS tokens should be obtained separately. That may change in the future, but certainly not the near future. Please add the 'ignore_afs' functionality -- otherwise, we're really crippled. Thanks!
Merging into 2.1.2. Thanks!