[OpenAFS] aklog does not work during login

markus hetzenecker markus.hetzenecker@uibk.ac.at
Sat, 11 May 2002 16:35:25 +0200 

hello.

well, i read the guides and mailinglist, but i could not find a solution, so here i am:
system: RedHat 7.3 i386 Linux, Openafs 1.2.3, pam_krb5-1.55-1.

the problem: during login I get no afs token.
the pam modules are configured (with authconf). everthing is running on the same machine.
but what works is follows:
after login (or with kinit) as user0:

bash-2.05a$ klist
Ticket cache: FILE:/tmp/krb5cc_501_Sz8iV6
Default principal: user0@UIBK.AC.AT

Valid starting     Expires            Service principal
05/11/02 15:09:11  05/12/02 01:09:11  krbtgt/UIBK.AC.AT@UIBK.AC.AT
        renew until 05/11/02 15:09:11

Kerberos 4 ticket cache: /tmp/tkt501_JcyOJr
klist: can't find realm of ticket file: Bad ticket file format (tf_util)
bash-2.05a$ aklog
bash-2.05a$ klist
Ticket cache: FILE:/tmp/krb5cc_501_iTdGY1
Default principal: user0@UIBK.AC.AT

Valid starting     Expires            Service principal
05/11/02 15:57:18  05/12/02 01:57:18  krbtgt/UIBK.AC.AT@UIBK.AC.AT
05/11/02 15:57:27  05/12/02 01:57:18  afs/uibk.ac.at@UIBK.AC.AT

Kerberos 4 ticket cache: /tmp/tkt501_abzSIP
klist: can't find realm of ticket file: Bad ticket file format (tf_util)
bash-2.05a$
------------------------------------------
with this procedure i am able to access the /afs files
but kinit -4 yields (with the same password):
bash-2.05a$ kinit -4
Password for user0@UIBK.AC.AT:
kinit(v4): Password incorrect
bash-2.05a$

so I can not get a v4 ticket. (should I?)

Next there is collection of some config lines:
[root@lmc-c102 root]# asetkey list
kvno    4: key is: 46d0f12ff46dc838
All done.

kadmin.local:  getprinc afs/uibk.ac.at
Principal: afs/uibk.ac.at@UIBK.AC.AT
...
Last successful authentication: [never]
Last failed authentication: [never]
Failed password attempts: 0
Number of keys: 1
Key: vno 4, DES cbc mode with CRC-32, no salt
...

kadmin.local:  getprinc user0
Principal: user0@UIBK.AC.AT
...
Last successful authentication: [never]
Last failed authentication: [never]
Failed password attempts: 0
Number of keys: 2
Key: vno 1, Triple DES cbc mode with HMAC/sha1, no salt
Key: vno 1, DES cbc mode with CRC-32, no salt
...

/var/kerberos/krb5kdc/kdc.conf:
[kdcdefaults]
...
 v4_mode = nopreauth

[realms]
 UIBK.AC.AT = {
  master_key_type = des-cbc-crc
  supported_enctypes = des3-cbc-raw:normal des3-cbc-raw:norealm des3-cbc-raw:onlyrealm des3-cbc-sha1:normal des3-cbc-sha1:norealm des3-cbc-sha1:onlyrealm des-cbc-crc:v4 des-cbc-crc:afs3 des-cbc-crc:normal des-cbc-crc:norealm des-cbc-crc:onlyrealm des-cbc-md4:v4 des-cbc-md4:afs3 des-cbc-md4:normal des-cbc-md4:norealm des-cbc-md4:onlyrealm des-cbc-md5:v4 des-cbc-md5:afs3 des-cbc-md5:normal des-cbc-md5:norealm des-cbc-md5:onlyrealm des-cbc-raw:v4 des-cbc-raw:afs3 des-cbc-raw:normal des-cbc-raw:norealm des-cbc-raw:onlyrealm des-cbc-sha1:v4 des-cbc-sha1:afs3 des-cbc-sha1:normal des-cbc-sha1:norealm des-cbc-sha1:onlyrealm
 }
---------------------------------------------
maybe the debug output is more interesting
pam_krb5afs:debug:
...
May 11 14:45:28 lmc-c102 login[2008]: pam_krb5afs: `user0' has uid 501, gid 501
May 11 14:45:28 lmc-c102 login[2008]: pam_krb5afs: attempting to authenticate `user0'
May 11 14:45:28 lmc-c102 login[2008]: pam_krb5afs: get_int_tkt returned Success
May 11 14:45:28 lmc-c102 login[2008]: pam_krb5afs: authentication succeeds for `user0'
May 11 14:45:28 lmc-c102 login[2008]: pam_krb5afs: credentials saved for `user0'
May 11 14:45:28 lmc-c102 login[2008]: pam_krb5afs: ciphertext length in TGT = 104
May 11 14:45:28 lmc-c102 login[2008]: pam_krb5afs: Got v4 TGT for `jÍ\221¤9#'+\2232ð&^AfÝÉ^N\213^Ge£¿\234G\215i^Z^K¦^Pè^NH«\217\223IH¥.c"úN`yý^^äº_@'
May 11 14:45:28 lmc-c102 login[2008]: pam_krb5afs: Got 297 extra bytes in v4 TGT
May 11 14:45:28 lmc-c102 login[2008]: pam_krb5afs: Extra data = ò^P@0
May 11 14:45:28 lmc-c102 login[2008]: pam_krb5afs: Extra data =
May 11 14:45:28 lmc-c102 login[2008]: pam_krb5afs: get_config() called
May 11 14:45:28 lmc-c102 login[2008]: pam_krb5afs: Creating a ticket with addresses
May 11 14:45:28 lmc-c102 login[2008]: pam_krb5afs: krb4_convert true
May 11 14:45:28 lmc-c102 login[2008]: pam_krb5afs: will afslog to cells `uibk.ac.at'
May 11 14:45:28 lmc-c102 login[2008]: pam_krb5afs: will afslog to cell `uibk.ac.at'
...
May 11 14:45:28 lmc-c102 login[2008]: pam_krb5afs: KRB5CCNAME=FILE:/tmp/krb5cc_501_pPynYH
May 11 14:45:28 lmc-c102 login[2008]: pam_krb5afs: opening ticket file `/tmp/tkt501_L6Aq91'
May 11 14:45:28 lmc-c102 login[2008]: pam_krb5afs: save v4 creds (jÍ\221¤9#'+\2232ð&^AfÝÉ^N\213^Ge£¿\234G\215i^Z^K¦^Pè^NH«\217\223IH¥.c"úN`yý^^äº_@:36), 142
May 11 14:45:28 lmc-c102 login[2008]: pam_krb5afs: KRBTKFILE=/tmp/tkt501_L6Aq91
May 11 14:45:28 lmc-c102 login[2008]: pam_krb5afs: k_setpag()
May 11 14:45:28 lmc-c102 login[2008]: pam_krb5afs: k_setpag() returned 0
May 11 14:45:28 lmc-c102 login[2008]: pam_krb5afs: afslog() to cell `uibk.ac.at'
May 11 14:45:28 lmc-c102 login[2008]: pam_krb5afs: afslog() returned 79
May 11 14:45:28 lmc-c102 login[2008]: pam_krb5afs: setting ownership on `/tmp/krb5cc_501_pPynYH' to 501/501
...

sorry of the long listing, but i do not know what is wrong.
I wondering why kinit/aklog works, but not the pam module. (i tried also pam_krb5afs-1.46)
thanks for any help.