Bug 126345 - [has patch] pam_krb5 ignores "krb4_convert = false" when AFS is loaded
Summary: [has patch] pam_krb5 ignores "krb4_convert = false" when AFS is loaded
Keywords:
Status: CLOSED RAWHIDE
Alias: None
Product: Fedora
Classification: Fedora
Component: pam_krb5
Version: rawhide
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Nalin Dahyabhai
QA Contact: Brian Brock
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2004-06-19 16:30 UTC by Matthew Miller
Modified: 2007-11-30 22:10 UTC (History)
0 users

Fixed In Version: 2.1.2-1
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2004-08-31 14:49:30 UTC
Type: ---
Embargoed:


Attachments (Terms of Use)
adds "ignore_afs" flag (2.23 KB, patch)
2004-06-30 15:48 UTC, Matthew Miller
no flags Details | Diff

Description Matthew Miller 2004-06-19 16:30:57 UTC
We have some sort of problem with converting v5 creds to v4 ones here.
I haven't worried about it too much, because we don't really need
them, or at least care about getting them at login. So, I have
"krb4_convert = false".

The AFS code in pam_krb5 seems to ignore this setting entirely -- if
AFS is detected, it tries for 50 seconds before timing out.

With Red Hat Linux 9, I worked around this by simply using pam_krb5
instead of pam_krb5afs. But now, these aren't separate binaries, and
there appears to be no way to disable AFS. I don't actually *need* the
pam module to be messing with AFS, and would like to tell it to stop.

Obviously, it'd be nice to get the actual problem we have with v4
conversion fixed. But additionally, the pam_krb5 module ought to do
what it is told.

Comment 1 Matthew Miller 2004-06-30 15:48:19 UTC
Created attachment 101538 [details]
adds "ignore_afs" flag

This patch adds an "ignore_afs" flag. If that is set to true in /etc/krb5.conf,
the PAM module skips its AFS detection routines and doesn't reenable
krb4_convert or attempt to get AFS credentials.

Comment 2 Matthew Miller 2004-06-30 15:50:44 UTC
I checked with the people who run the AFS and kerberos servers here,
and basically, our 5 and 4 servers are entirely separate, and so
5-to-4 just doesn't work. AFS tokens should be obtained separately.
That may change in the future, but certainly not the near future.

Please add the 'ignore_afs' functionality -- otherwise, we're really
crippled. Thanks!

Comment 3 Nalin Dahyabhai 2004-08-31 14:49:30 UTC
Merging into 2.1.2.  Thanks!


Note You need to log in before you can comment on or make changes to this bug.