[OpenAFS] kerberos + pam

Sergio Gelato Sergio.Gelato@astro.su.se
Fri, 15 Oct 2004 16:07:42 +0200

* Maurizio Santini [2004-10-14 14:08:15 -0300]:
> ---------------------------------------------
> auth       required     /lib/security/pam_securetty.so
> auth       required     /lib/security/pam_nologin.so
> #auth      sufficient   /lib/security/pam_afs.krb.so use_first_pass
> auth       sufficient   /lib/security/pam_krb5afs.so use_first_pass
> auth       required     /lib/security/pam_stack.so service=system-auth
> account    sufficient   /lib/security/pam_ldap.so
> account    required     /lib/security/pam_stack.so service=system-auth

I see you're not invoking pam_krb5afs.so in the account phase.
That may be OK, or it may cause trouble later at the session level.

Also note that for some applications, and for the SourceForge modules,
it may be useful to do
auth	...	pam_krb5afs.so tokens
This is necessary for some programs that don't pam_setcred() or
pam_open_session(). It's almost certainly not the right thing to
do for programs with privilege separation (like OpenSSH). I haven't
found it necessary on my Debian 3.0 boxes, but Red Hat may be different.

>From what you showed us, your login application does call open_session,
but maybe there is a problem at the setcred/putenv level preventing
token acquisition by the session module.

> password   sufficient   /lib/security/pam_krb5.so use_authtok
> password   required     /lib/security/pam_stack.so service=system-auth
> session    optional     /lib/security/pam_krb5afs.so

What happens if you add a debug=yes on that one?

> session    required     /lib/security/pam_stack.so service=system-auth
> session    optional     /lib/security/pam_console.so
> ---------------------------------------------
> 1) When I use the module provided by kerberos package (pam_krb5afs.so) I
> get the following from /var/log/messages:
> pam_krb5afs: couldn't get v4 TGT for mauri2@TEST.PICTAGE.COM.AR (Can't
> send request (send_to_kdc)), continuing
> Oct 13 18:40:07 opr011 pam_afs: AFS Password required but not supplied
> by user mauri2
> Oct 13 18:40:07 opr011 login: pam_krb5afs: v4 ticket conversion failed
> for `mauri2': -1750206208 (Unknown code k524 0)

Check your KDC's logs for more details.

> In this case I can login I get the ticket but not the token.
> 2) If I use the same module provided by
> http://sourceforge.net/projects/pam-krb5/ it results to this:

(Which version? rc7 or the latest snapshot? I prefer the snapshot.)

> Oct 14 11:43:02 opr011 login[11395]: pam_krb5afs: v4 ticket conversion
> succeeded for `mauri2'
> Again I can login I get the ticket but not the token.

Still points to a problem with the session module either not being invoked
or not being told where to find the credentials cache.

> 3) If I use the module pam_afs.krb.so provided by the openafs rpms I get
> the following:
> Oct 14 13:24:39 opr011 pam_afs[12394]: AFS Password required but not
> supplied by user mauri2
> Oct 14 13:24:42 opr011 login(pam_unix)[12394]: session opened for user
> mauri2 by (uid=0)
> Oct 14 13:24:42 opr011  -- mauri2: LOGIN ON tty3 BY mauri2
> In this case I can login, get the ticket and the token.  If I remove the
> user with kas delete I cannot login anymore (to my understanding only
> one KerberosV user should be needed otherwise is like maintaining to
> databases).  kaserver is running (if I shut it down the login prompts
> hang few seconds before letting me in, don't know why).

pam_afs probably returns different codes for internal failure (no kaserver)
and nonexistent principals.

> Any ideas what could be wrong?  I'm not using any aklog or fakeka.

Unless you're happy with pam_afs.krb for the long term, you do want to use
a session module with aklog-like functionality. Then you have to look at
how that module gets wind of, and access to, the TGT from the auth phase.
This doesn't seem to be working for you at the moment. I'd take a look at
the source code, or perhaps insert some diagnostic modules into the PAM
stack, to see what's going on.

> Thanks for your help,
> Maurizio Santini
> System adminstrator
> Ten Roses SRL