[OpenAFS] pam_afs_session.so is unable to find Kerberos ticket cache file
Holger Rauch
holger.rauch@empic.de
Thu, 10 Dec 2009 10:58:30 +0100
--jy6Sn24JjFx/iggw
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
Hi to everybody,
The problem I got is that interactive kinit/aklog combos work
perfectly, but when I try to log in remotely via ssh, the passwordless
login itself works, but a cd to my home dir doesn't occur because
pam_afs_session.so is either not considered or doesn't call aklog. The
exact error messages read as follows:
Could not chdir to home directory /export/home/people/hrauch: Permission de=
nied
-bash: /export/home/people/hrauch/.bash_profile: Permission denied
As it is now, I have to manully invoke kinit && aklog in order to be
able to successfully cd to my home dir. That's exactly what I wanted
to avoid.
I googled but found only the hint that one needs to include
pam_afs_session.so in the PAM session config, which I did.
The above implies that LDAP setup (used for POSIX account info)=20
and MIT Kerberos setup (for password maintenance) are configured correctly.
SSH is setup to forward Kerberos tickets by using these options in
/etc/ssh/ssh_config on the client:
GSSAPIAuthentication yes
GSSAPIDelegateCredentials yes
This happens on a Debian Lenny system with openafs packages installed
=66rom backports.org in order to circumvent some kind of memory
allocation error preventing the openafs kernel module from being loaded.
Here's the list of installed openafs packages obtained via dpkg -l:
=3D=3D=3D
ii libpam-afs-session 1.7-1 PAM module
to set up a PAG and obtain AFS tokens
ii openafs-client 1.4.11+dfsg-5~bpo50+1 AFS
distributed filesystem client support
ii openafs-krb5 1.4.11+dfsg-5~bpo50+1 AFS
distributed filesystem Kerberos 5 integration
ii openafs-modules-dkms 1.4.11+dfsg-5~bpo50+1 AFS
distributed filesystem kernel module DKMS source
ii openafs-modules-source 1.4.11+dfsg-5~bpo50+1 AFS
distributed filesystem kernel module source
=3D=3D=3D
My PAM config (I have a few "fallback" system accounts too, that's why
pam_unix.so is mentioned):
- /etc/pam.d/common-account
=3D=3D=3D
account sufficient pam_unix.so
account required pam_ldap.so minimum_uid=3D10000 debug
account required pam_krb5.so minimum_uid=3D10000 ignore_root debug
=3D=3D=3D
- /etc/pam.d/common-auth
=3D=3D=3D
auth sufficient pam_unix.so nullok_secure
auth sufficient pam_krb5.so use_first_pass minimum_uid=3D10000
ignore_root debug
auth optional pam_afs_session.so program=3D/usr/bin/aklog
auth required pam_deny.so
=3D=3D=3D
- /etc/pam.d/common-password
=3D=3D=3D
password sufficient pam_unix.so nullok obscure md5
password required pam_krb5.so use_first_pass minimum_uid=3D10000
ignore_root debug
=3D=3D=3D
- /etc/pam.d/common-session (I verified the path to aklog)
=3D=3D=3D
session required pam_limits.so
session required pam_unix.so
session optional pam_krb5.so minimum_uid=3D10000 ignore_root debug
session optional pam_afs_session.so program=3D/usr/bin/aklog debug
=3D=3D=3D
Anything wrong with my PAM config?
/var/log/auth.log tells me:
=3D=3D=3D
Dec 10 10:50:33 pia sshd[15641]: (pam_krb5): hrauch: unable to get
PAM_KRB5CCNAME, assuming non-Kerberos login
Dec 10 10:50:33 pia sshd[15641]: (pam_krb5): none: pam_sm_setcred:
exit (failure)
Dec 10 10:50:33 pia sshd[15641]: (pam_afs_session):
pam_sm_open_session: entry (0x0)
Dec 10 10:50:33 pia sshd[15641]: (pam_afs_session): skipping tokens,
no Kerberos ticket cache
Dec 10 10:50:33 pia sshd[15641]: (pam_afs_session):
pam_sm_open_session: exit (success)
=3D=3D=3D
Now, the obvious question is: How can I tell sshd or pam_krb5.so about
the ticket cache file?
Thanks in advance for any help!
Kind regards,
Holger
=20
--jy6Sn24JjFx/iggw
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iEYEARECAAYFAksgxkYACgkQbiVtWpZdKQJetQCghSJkx+hWnlKpu0L6vlIOqFXn
3SEAn31LJXICBmlrn5FZOCTFFf80d+WM
=MHlH
-----END PGP SIGNATURE-----
--jy6Sn24JjFx/iggw--