# Login using pam on OpenASF Server

## donmartio

Hallo,

after we got through the installation of the OpenAFS Server i would likte it,

if i am automatically logged in on the server when i log in on my gentoo working mashine.

I tried the last steps from this 'walkthrough' :

http://www.gentoo.org/doc/en/openafs.xml

and added the line 

auth       sufficient   pam_afs.so.1 use_first_pass ignore_root

to the /etc/pam.d/system-auth

and the lines 

auth       sufficient   pam_afs.so.1 ignore_uid 100

session    optional     pam_afs.so.1 no_unlog

to the /etc/pam.d/su

but that didn't do the job.

I searched the web, but i can't find any other solution (or the final hint).

With klog everthing is ok... but i would realy like it, when i can get this done automatically without typing my password into a start script.

Any suggestions?

Greetings 

DonMartio

----------

## Kooky

Evening donmartio,

I'm not sure if i can help you cause I use openAFS with heimdal krb and ldap

but maybe add the lines:

```

auth       sufficient   pam_afs.so.1 use_first_pass

account    sufficient   pam_succeed_if.so uid < 1000

account    [default=bad success=ok user_unknown=ignore]   pam_afs.so.1

password   sufficient   pam_afs.so.1 use_authtok

session    optional     pam_afs.so.1

```

and nothing in "su"

here is also a copy of my whole working system-auth file:

```

auth       required     pam_env.so

auth       sufficient   pam_unix.so likeauth nullok

auth       sufficient   pam_krb5afs.so use_first_pass

auth       sufficient   pam_ldap.so use_first_pass

auth       required     pam_deny.so

account    sufficient   pam_succeed_if.so uid < 1000

account    required     pam_unix.so

account    [default=bad success=ok user_unknown=ignore]   pam_krb5afs.so

account    [default=bad success=ok user_unknown=ignore]   pam_ldap.so

password   required     pam_cracklib.so retry=3

password   sufficient   pam_unix.so nullok use_authtok shadow md5

password   sufficient   pam_krb5afs.so use_authtok

password   sufficient   pam_ldap.so use_authtok

password   required     pam_deny.so

session    required     pam_limits.so

session    required     pam_unix.so

session    optional     pam_krb5afs.so

session    optional     pam_ldap.so

```

Greets Kooky

----------

## donmartio

Heyho Kooky,

thanks for your replay,

i fear that didn't do the job. 

Itried it with:

```

auth       required     pam_env.so

auth       sufficient   pam_unix.so likeauth nullok

auth       sufficient   pam_afs.so.1 use_first_pass ignore_root

auth       required     pam_deny.so

account    required     pam_unix.so

password   required     pam_cracklib.so difok=2 minlen=8 dcredit=2 ocredit=2 retry=3

password   sufficient   pam_unix.so nullok md5 shadow use_authtok

password   sufficient   pam_afs.so.1 use_authtok

password   required     pam_deny.so

session    required     pam_limits.so

session    required     pam_unix.so

session    optional     pam_afs.so.1

```

and also with:

```

auth       required     pam_env.so

auth       sufficient   pam_unix.so likeauth nullok

auth       sufficient   pam_afs.krb.so.1 use_first_pass ignore_root

auth       required     pam_deny.so

account    required     pam_unix.so

account    [default=bad success=ok user_unknown=ignore] pam_afs.krb.so.1

password   required     pam_cracklib.so difok=2 minlen=8 dcredit=2 ocredit=2 retry=3

password   sufficient   pam_unix.so nullok md5 shadow use_authtok

password   sufficient   pam_afs.krb.so.1 use_authtok

password   required     pam_deny.so

session    required     pam_limits.so

session    required     pam_unix.so

session    optional     pam_afs.krb.so.1

```

Neither not works.... i don't realy understand what this configuration do... 

Any further hints would by nice

Greetings and thanks

DonMartio

----------

## donmartio

Ok, some additions...

it seems, that the problem is somwhere with KDE.

When i login on a console using STRG+F1 then everything works... i get access to all my directories...

When i login useing kde i get no access....

May sombody enlighten me about the differences between loggin in using the console and kde.

Greetings

DonMartio

----------

## Kooky

Please add "debug" to the lines with pam_afs*

and check your logs. Maybe also try "try_first_pass" instead of "use_first_pass" in "auth" (If the given password was wrong it will promt for a new password)

Also check if your username/password in afs is the same as the normal username/password for your box.

If you don't know what you are doing in the pam-config please read what "required" "sufficient" and "optional"  means (#man pam) cause when you do something wrong there you can't login to your box (or everyone can login in your box).

Maybe add "debug" to every line and also open !two! consoles before you change something in pam (or you will have to start from a livecd to change pam *g*) 

If it works also check if you still can login as "root" and if nothing works please ask  again and give me a copy of your syslog

Greets Kooky

----------

## donmartio

Hey Kooky,

thanks again for your reply. 

Sadly i have to report that there is no success. The debug at the end of every line seems to do nothing here. No log in /var/log/messages.

As i mentioned before, i can login using a shell and if i use klog.

And here is something more curious...

Using this system-auth:

```

auth       required pam_env.so

auth       sufficient   pam_unix.so likeauth nullok

# auth       sufficient   pam_afs.krb.so.1 try_first_pass ignore_root debug

auth       required pam_deny.so

account    required pam_unix.so

# account    [default=bad success=ok user_unknown=ignore] pam_afs.krb.so.1 debug

password   required pam_cracklib.so difok=2 minlen=8 dcredit=2 ocredit=2 retry=3

password   sufficient   pam_unix.so nullok md5 shadow use_authtok

# password   sufficient   pam_afs.krb.so.1 use_authtok debug

password   required pam_deny.so

session    required pam_limits.so

session    required pam_unix.so

# session    optional     pam_afs.krb.so.1 debug

```

I am automatically logged in on afs with my usual account.

As you can see all afs-Stuff is commentet.

Hmm i'll take a further look tomorrow.

Greetings and Thanks again.

DonMartio

----------

## donmartio

Hello there again,

i figured out, that there was some entries in the /etc/pam.d/login:

```

auth       required /lib/security/pam_securetty.so

auth       required /lib/security/pam_stack.so service=system-auth

auth       required /lib/security/pam_nologin.so

auth       sufficient   /lib/security/pam_afs.so.1 use_first_pass ignore_root

account    required /lib/security/pam_stack.so service=system-auth

password   required /lib/security/pam_stack.so service=system-auth

session    required /lib/security/pam_stack.so service=system-auth

session    sufficient   /lib/security/pam_afs.so.1 authenticate

```

So this is the reason, why it works if i login nonegraphical. 

I tried it again, by adding the same entries to the /etc/pam.d/kde ,

but it dosesn't work.

Anybody any suggestions?

Greetings

DonMartio

----------

## Kooky

donmartio please only change system-auth cause all other pam files will include this file with:

 /lib/security/pam_stack.so service=system-auth 

and it's much easier to administrate it later.

----------

## donmartio

Hey Kooky,

thanks for your advice... i supposed it already, and meanwhile i have read a bit in the pam administrators guide.

But i can't find a reason, why i get a token when i login none graphically and don't get that token when i login using kde.

I don't get any log-messages in /var/log/message except something like:

kde(pam_unix)[16048]: session opened for user martin by (uid=0)

May you have a hint what's going wrong the second way?

Greetings and thanks again.

DonMartio

----------

## Kooky

can you show me your /etc/pam.d/kde? here is my one:

```

#%PAM-1.0

auth       include      system-auth

auth       required     pam_nologin.so

account    include      system-auth

password   include      system-auth

session    include      system-auth

```

Did you also configurate your syslog? (check gentoo security handbook for a nice configuration)

greets Kooky

----------

## donmartio

Hoho... hey Kooky, thanks for the tip, i didn't know the gentoo security handbook (i found a lot of things i have to do)

Since the AFS-Problem is on my mashine at work i can't change the required configurations of my syslog right now.

But as far as i remember does my /etc/pam.d/kde look the same.

I'll test the hole stuff with the syslog-changes tomorrow.

May i get some hints from there and let you know (and maybe other fellows) what i

have found.

Thanks again

DonMartio

----------

## donmartio

Hallo again,

i got it working now. First i had to recompile openafs with USE="debug" to get some more information

about what is happening.

Then i tested it with the /etc/pam.d/login and it worked like before. If i deleted the entry there and

added the same entry to the system-auth it doesn't work anymore (neither none-graphically nor graphically).

Here the none-working and the working system-auth to make this matter clearer:

None Working:

```

auth       required     pam_env.so

auth       sufficient   pam_unix.so likeauth nullok

auth       sufficient   pam_afs.so try_first_pass ignore_root debug

auth       required     pam_deny.so

account    required     pam_unix.so

password   required     pam_cracklib.so difok=2 minlen=8 dcredit=2 ocredit=2 retry=3

password   sufficient   pam_unix.so nullok md5 shadow use_authtok

password   required     pam_deny.so

session    required     pam_limits.so

session    required     pam_unix.so

```

Working:

```

auth       required     pam_env.so

auth       sufficient   pam_afs.so try_first_pass ignore_root debug

auth       sufficient   pam_unix.so likeauth nullok

auth       required     pam_deny.so

account    required     pam_unix.so

password   required     pam_cracklib.so difok=2 minlen=8 dcredit=2 ocredit=2 retry=3

password   sufficient   pam_unix.so nullok md5 shadow use_authtok

password   required     pam_deny.so

session    required     pam_limits.so

session    required     pam_unix.so

```

As you can see i only changed the order.

I don't understand fully why this is as it is but it's working.

Thanks to Kooky for the help.

Greetings

DonMartio

----------

## depontius

 *donmartio wrote:*   

> Hallo again,
> 
> i got it working now. First i had to recompile openafs with USE="debug" to get some more information
> 
> about what is happening.
> ...

 

I've been having these troubles for a bit, too. I integrated my login back when I first installed this machine, and had no trouble getting it working. Then at some point, it stopped. Most of the time, it's just an annoyance. Around here, my token lasts a month, and with an occasional klog, it essentially never expires. Today I upgraded the kernel, which meant getting in without a token, so I decided to look into this a little bit. Every now and then I spend a little time on this, usually without result. But I believe I have enough pieces of the puzzle now.

Here's my /etc/pam.d/xdm:

 *Quote:*   

> #%PAM-1.0
> 
> auth       include      system-auth
> 
> auth       required     pam_tally.so file=/var/log/faillog onerr=succeed no_magi
> ...

 

And here's my /etc/pam.d/system-auth:

 *Quote:*   

> #%PAM-1.0
> 
> auth       required     pam_env.so
> 
> auth       sufficient   pam_unix.so likeauth nullok
> ...

 

I believe the key is the word, "sufficient" on the line "auth sufficient pam_uniz.so likeauth nullok". From what I remember of reading PAM documents, when it hits "sufficient" and it passes, it grants authentication and stops. For you, that originally meant stopping after pam_unix, but before pam_afs. When you switched the order of the 2 statements, it grants authentication after pam_afs, and not bothering with pam_unix. In my case, because of the "sufficient" on the pam_unix line in system-auth, it essentially never comes back from system-auth, and never processes my pam_afs line. I think I need to tweak my system-auth just like yours, and then take the pam_afs lines out of login and xdm. Though at this point, I think I need to make that a "use_first_pass" instead of "try_first_pass", because system-auth gets called by non-interactive things, and I could see them getting confused by an interactive-type request. That's why I've been reluctant to tweak system-auth, in the first place. For the moment I've added "debug" to the pam_afs lines.

Any more expert opinions would truly be appreciated.

----------

