Created attachment 114102 [details] use VIOC_GET_WS_CELL to obtain the name of the local cell
Description of problem: pam_krb5 is using the VIOC_FILE_CELL_NAME pioctl to determine the name of the local cell. It is basically doing the equivalent of: fs whichcell /afs (using the 'fs' command from AFS). This is wrong in the case where the workstation is using the dynamic root feature of OpenAFS. When -dynroot is enabled the name of the cell containing /afs is 'dynroot'. The actual "local cell" of the workstation may differ from the name of the cell containing the root of /afs; in OpenAFS, for instance, the local cell name is configured in the file /usr/vice/etc/ThisCell. Fortunately, we don't need to know where a particular AFS client's configuration files are located. There is a standard pioctl interface for determining the name of the local cell, VIOC_GET_WS_CELL. pam_krb5 should use this instead and then it will work properly when dynamic root is enabled. Version-Release number of selected component (if applicable): Tested on RHEL4, pam_krb5-2.1.2-1 How reproducible: Always. Steps to Reproduce: 1. Enable -dynroot in OpenAFS. (current OpenAFS releases enable it by default) 2. Try to log in using pam_krb5afs. (with home directory in /afs) Actual results: pam_krb5afs attempts to get tokens in a cell named 'dynroot', not your actual local cell. Expected results: pam_krb5afs should attempt to get tokens for the workstation's local cell. (as configured in /usr/vice/etc/ThisCell on OpenAFS, etc) Additional info: A patch to fix this problem is available at: http://www-personal.engin.umich.edu/~wingc/patches/pam_krb5/pam_krb5-2.1.2-wscell.patch
This was incorporated into 2.1.6. Closing.