[OpenAFS] tokens at login (pam_krb5afs module)

Dj Merrill deej@thayer.dartmouth.edu
Tue, 26 Apr 2005 10:47:35 -0400 

Douglas E. Engert wrote:
> You have not said anything about the krb5 realm, or having added
> a principal to the realm's database.

Hi Douglas,
	I have a completely working system using all RHEL 3.4 machines.
Krb5 is setup and working, corresponding principals are in the database, 
and RHEL 3.4 clients are functioning fine.

	I'm trying to add RHEL 4 into the mix, and am running into
problems obtaining tokens at login.  I can login via Krb5, and I can
get tokens via "afslog" after login.  AFS seems to be working fine
(after obtaining a token manually).

	My best guess at this point is that the behaviour of
the pam_krb5 module has changed from RHEL 3.4 to RHEL 4
(pam_krb5 version change from 1.73-1 to 2.1.2-1), and this
is causing my problems.


>>     As per the K5 migration info, I have an afs principal:
>> afs@ECON.DUKE.EDU
>> however, I note that the pam_krb5afs tries several other
>> combinations, but not this one exactly. 
> 
> 
> What is the difference between the afs@ECON.DUKE.EDU above
> and the one below.

	My apologies, I mistyped - that should have read that it tries:
Apr 25 13:39:35 galactica sshd[28332]: pam_krb5[28332]: attempting to 
obtain tokens for "econ.duke.edu" ("afs/econ.duke.edu@econ.duke.edu")
Apr 25 13:39:35 galactica sshd[28332]: pam_krb5[28332]: attempting to 
obtain tokens for "econ.duke.edu" ("afs@econ.duke.edu")
Apr 25 13:39:35 galactica sshd[28332]: pam_krb5[28332]: attempting to 
obtain tokens for "econ.duke.edu" ("afs/econ.duke.edu@ECON.DUKE.EDU")

	It does NOT try afs@ECON.DUKE.EDU, which is the correct
entry in the database (according to Step 4, subsection 3 of the
Krb 5 AFS migration kit).  Please note that this works fine AS-IS for
RHEL 3.4 machines.



> Have you added the principal to the KR5 realm?
> (Use the afs/econ.duke.edu@ECON.DUKE.EDU as this is
> afs/<cell>@<realm> which is what it tries first.)

	If I change afs@ECON.DUKE.EDU to
afs/econ.duke.edu@ECON.DUKE.EDU, won't that break
my existing and working RHEL 3.4 machines?
Or are you suggesting that I have both entries?
Don't the kvno numbers have to match between the
AFS Keyfile and Kerberos databases (I'm inferring this from
the Krb migration kit), so I can only have one entry here?

> In your krb5.conf file I don't see any references to the
> Kerberos realm of ECON>DUKE.EDU.

	I didn't send a complete krb5.conf file as I was trying
for brevity, but here it is:

[logging]
  default = FILE:/var/log/krb5libs.log
  kdc = FILE:/var/log/krb5kdc.log
  admin_server = FILE:/var/log/kadmind.log

[libdefaults]
  ticket_lifetime = 24000
  default_realm = ECON.DUKE.EDU
  dns_lookup_realm = false
  dns_lookup_kdc = false

[realms]
  ECON.DUKE.EDU = {
   kdc = kdc-1.econ.duke.edu:88
   kdc = kdc-2.econ.duke.edu:88
   admin_server = kdc-1.econ.duke.edu:749
   default_domain = econ.duke.edu
  }

[domain_realm]
  .econ.duke.edu = ECON.DUKE.EDU
  econ.duke.edu = ECON.DUKE.EDU

[kdc]
  profile = /var/kerberos/krb5kdc/kdc.conf

[appdefaults]
  pam = {
    debug = true
    ticket_lifetime = 86400
    renew_lifetime = 86400
    forwardable = true
    krb4_convert = true
    afs_cells = econ.duke.edu
    minimum_uid = 1000
  }
  afs_krb5 = {
    ECON.DUKE.EDU = {
       afs = true
    }
  }



Thanks again,

-Dj


-- 
Dj Merrill
Sportsman 2+2 Builder #7118

"TSA: Totally Screwing Aviation"