Description of problem: pam_krb5 determines the name of the Kerberos realm to use when getting AFS tokens by looking up the IP addresses of the file servers for '/afs/cell.name'. However, it only passes a buffer large enough to hold a single IP address. If the AFS cell's root.cell volume is replicated (stored on more than 1 server), minikafs_realm_of_cell() will fail. Version-Release number of selected component (if applicable): Tested on RHEL4, pam_krb5-2.1.2-1 How reproducible: Always Steps to Reproduce: 1. Use an AFS cell that has more than 1 fileserver for /afs/cell.name 2. Try to log in using pam_krb5 Actual results: Errors are returned when trying to get AFS tokens for the default cell. pam_krb5 falls back to using the default Kerberos realm, instead of the actual Kerberos realm for the particular cell. (It also refuses to use the instance-less principal afs, so if you don't have a principal named afs/cell.name, then it will fail to get any tokens at all) Expected results: pam_krb5 should properly determine the name of the Kerberos realm containing the file servers for '/afs/cell.name', even if you have more than 1 file server. Additional info: A patch to fix this problem, by passing a buffer large enough to contain the maximum number of file server IP addresses supported by OpenAFS (13), and trying to use krb5_get_host_realm() on each of them, is available here: http://www-personal.engin.umich.edu/~wingc/patches/pam_krb5/pam_krb5-2.1.2-servers.patch
Created attachment 114105 [details] pam_krb5: try the entire list of file server IP addresses when looking up the realm name
This should be fixed in 2.1.6, though the patch was different.