Red Hat Bugzilla – Bug 157113
[PATCH] pam_krb5 does not work properly when your AFS cell has more than 1 file server
Last modified: 2010-02-12 13:42:46 EST
Description of problem:
pam_krb5 determines the name of the Kerberos realm to use when getting AFS
tokens by looking up the IP addresses of the file servers for '/afs/cell.name'.
However, it only passes a buffer large enough to hold a single IP address.
If the AFS cell's root.cell volume is replicated (stored on more than 1 server),
minikafs_realm_of_cell() will fail.
Version-Release number of selected component (if applicable):
Tested on RHEL4, pam_krb5-2.1.2-1
Steps to Reproduce:
1. Use an AFS cell that has more than 1 fileserver for /afs/cell.name
2. Try to log in using pam_krb5
Errors are returned when trying to get AFS tokens for the default cell. pam_krb5
falls back to using the default Kerberos realm, instead of the actual Kerberos
realm for the particular cell. (It also refuses to use the instance-less
principal afs@REALM.NAME, so if you don't have a principal named
afs/cell.name@REALM.NAME, then it will fail to get any tokens at all)
pam_krb5 should properly determine the name of the Kerberos realm containing the
file servers for '/afs/cell.name', even if you have more than 1 file server.
A patch to fix this problem, by passing a buffer large enough to contain the
maximum number of file server IP addresses supported by OpenAFS (13), and trying
to use krb5_get_host_realm() on each of them, is available here:
Created attachment 114105 [details]
pam_krb5: try the entire list of file server IP addresses when looking up the realm name
This should be fixed in 2.1.6, though the patch was different.