[OpenAFS] Krb5 AFS ticket conversion problems continue

Derek T. Yarnell derek@cs.umd.edu
Mon, 24 May 2004 14:25:48 -0400 

Your krb5 server logs do they tell you they are not giving out 4
tickets? The new 1.3.x code defaults to not giving out 4 tickets.

Add this to your kdc.conf in the [kdcdefaults] section:

v4_mode nopreauth

Then restart krb5kdc.

On Fri, May 21, 2004 at 11:55:27AM -0400, Andrew Bacchi wrote:
> I CAN log in and get K5 tickets, but they still are NOT showing up as
> afs@xxx.xxx.  I've tried many options with PAM, and krb5.conf.  From
> syslog below, why am I not contacting the KDC for Krb524d?  Thanks.
> 
> The Krb524d is running.
> root     32588     1  0 May20 ?      00:00:00 /usr/local/sbin/kadmind
> root     32620     1  0 May20 ?      00:00:00 /usr/local/sbin/krb5kdc
> root     32636     1  0 May20 ?      00:00:00 /usr/local/sbin/krb524d -m
> 
> netstat shows the server listening on port 750.
> udp        0      0 128.113.22.78:750       0.0.0.0:*
> 
> 
> MIT K5 1.3.2, OpenAFS 1.2.11, RHAS 2.1.  firewall is down on both server
> & client for testing.
> 
> klist shows no afs tokens.
> 
> Ticket cache: FILE:/tmp/krb5cc_65542_aRA8rN
> Default principal: bacchi_a@WEB.RPI.EDU
> Valid starting     Expires            Service principal
> 05/21/04 10:43:54  05/21/04 20:43:54  krbtgt/WEB.RPI.EDU@WEB.RPI.EDU
>         renew until 05/21/04 10:43:54
> Kerberos 4 ticket cache: /tmp/tkt65542_cxIYDy
> Principal: bacchi_a@WEB.RPI.EDU
>   Issued              Expires             Principal
> 05/21/04 10:43:54  05/21/04 20:43:54  krbtgt.WEB.RPI.EDU@WEB.RPI.EDU
> 
> 
> /etc/krb5.conf has the krb524 server listed.:
> [realms]
>  WEB.RPI.EDU = {
>   kdc = krb5-1.server.rpi.edu:88
>   kdc = krb5-2.server.rpi.edu:88
>   krb524_server = krb5-1.server.rpi.edu:750
>   admin_server = krb5-1.server.rpi.edu:749
>   default_domain = rpi.edu
> 
> 
> /var/log/messages error say can't send request:
> 
> May 21 10:43:54 ldap3 sshd[15610]: pam_krb5afs: authentication succeeds
> for `bacchi_a'
> May 21 10:43:54 ldap3 sshd[15610]: pam_krb5afs: couldn't get v4 TGT for
> bacchi_a@WEB.RPI.EDU (Can't send request (send_to_kdc)), continuing
> May 21 10:43:54 ldap3 sshd[15610]: pam_krb5afs: v4 ticket conversion
> succeeded for `bacchi_a'
> 
> /etc/pam.d/system-auth is:
> 
> #%PAM-1.0
> auth        sufficient    /lib/security/pam_unix.so likeauth nullok
> debug audit
> auth        sufficient    /lib/security/pam_krb5afs.so use_first_pass
> tokens
> auth        required      /lib/security/pam_deny.so
> account     sufficient    /lib/security/pam_unix.so
> account     required      /lib/security/pam_deny.so
> password    required      /lib/security/pam_cracklib.so retry=3
> password    sufficient    /lib/security/pam_unix.so nullok use_authtok
> md5 shadow
> password    sufficient    /lib/security/pam_krb5afs.so use_authtok
> password    required      /lib/security/pam_deny.so
> session     required      /lib/security/pam_limits.so
> session     required      /lib/security/pam_unix.so
> session     optional      /lib/security/pam_krb5afs.so
> 
> 
> -- 
> Facade: Provide a unified interface to a set of interfaces in a
> subsystem.
> 
> Andrew Bacchi
> Staff Systems Programmer
> Rensselaer Polytechnic Institute
> phone: 518 276-6415  fax: 518 276-2809
> 
> http://www.rpi.edu/~bacchi/
> 
> _______________________________________________
> OpenAFS-info mailing list
> OpenAFS-info@openafs.org
> https://lists.openafs.org/mailman/listinfo/openafs-info

-- 
---
Derek T. Yarnell
University of Maryland
Computer Science Department Unix Staff
derek@cs.umd.edu