Red Hat Bugzilla – Bug 188758
OpenAFS requires the v5 token to be in credential cache
Last modified: 2012-06-20 09:18:26 EDT
Description of problem:
OpenAFS requires the AFS token to be in the user's credential cache if running
in pure Kerberos 5 mode.
Version-Release number of selected component (if applicable): 2.2.8
How reproducible: Always
Steps to Reproduce:
1. Make OpenAFS use Kerberos 5 tickets only.
2. Login via pam_krb5 and have it set up the user session.
3. Verify that an AFS token is held via the 'tokens' command. (It won't be
listed via 'klist' though.)
4. Accessing non-world-readable files in /afs fails because the token is not
recognized by OpenAFS.
OpenAFS fails to recognize the AFS token although it's listed by the 'tokens'
If the token is in the user's credential cache (for example, if it was fetched
via 'afs5log'), everything works fine. It would therefore be nice if pam_krb5
could optionally store the AFS token in the regular credential cache (simply
let the user choose).
A patch that adds an option for this functionality is attached.
Created attachment 127676 [details]
Patch that adds a configuration option to store the AFS token in the regular credential cache
Thank you for submitting this issue for consideration in Red Hat Enterprise Linux. The release for which you requested us to review is now End of Life.
Please See https://access.redhat.com/support/policy/updates/errata/
If you would like Red Hat to re-consider your feature request for an active release, please re-open the request via appropriate support channels and provide additional supporting details about the importance of this issue.