Red Hat Bugzilla – Bug 126345
[has patch] pam_krb5 ignores "krb4_convert = false" when AFS is loaded
Last modified: 2007-11-30 17:10:45 EST
We have some sort of problem with converting v5 creds to v4 ones here.
I haven't worried about it too much, because we don't really need
them, or at least care about getting them at login. So, I have
"krb4_convert = false".
The AFS code in pam_krb5 seems to ignore this setting entirely -- if
AFS is detected, it tries for 50 seconds before timing out.
With Red Hat Linux 9, I worked around this by simply using pam_krb5
instead of pam_krb5afs. But now, these aren't separate binaries, and
there appears to be no way to disable AFS. I don't actually *need* the
pam module to be messing with AFS, and would like to tell it to stop.
Obviously, it'd be nice to get the actual problem we have with v4
conversion fixed. But additionally, the pam_krb5 module ought to do
what it is told.
Created attachment 101538 [details]
adds "ignore_afs" flag
This patch adds an "ignore_afs" flag. If that is set to true in /etc/krb5.conf,
the PAM module skips its AFS detection routines and doesn't reenable
krb4_convert or attempt to get AFS credentials.
I checked with the people who run the AFS and kerberos servers here,
and basically, our 5 and 4 servers are entirely separate, and so
5-to-4 just doesn't work. AFS tokens should be obtained separately.
That may change in the future, but certainly not the near future.
Please add the 'ignore_afs' functionality -- otherwise, we're really
Merging into 2.1.2. Thanks!