[OpenAFS] pam_afs_session.so is unable to find Kerberos ticket
cache file
Douglas E. Engert
deengert@anl.gov
Thu, 10 Dec 2009 13:37:39 -0600
Are your tickets on the ssh client forwardable? They need to be for the
GSSAPIDelegateCredentials yes to work.
Holger Rauch wrote:
> Hi to everybody,
>
> The problem I got is that interactive kinit/aklog combos work
> perfectly, but when I try to log in remotely via ssh, the passwordless
> login itself works, but a cd to my home dir doesn't occur because
> pam_afs_session.so is either not considered or doesn't call aklog. The
> exact error messages read as follows:
>
> Could not chdir to home directory /export/home/people/hrauch: Permission denied
> -bash: /export/home/people/hrauch/.bash_profile: Permission denied
>
> As it is now, I have to manully invoke kinit && aklog in order to be
> able to successfully cd to my home dir. That's exactly what I wanted
> to avoid.
>
> I googled but found only the hint that one needs to include
> pam_afs_session.so in the PAM session config, which I did.
>
> The above implies that LDAP setup (used for POSIX account info)
> and MIT Kerberos setup (for password maintenance) are configured correctly.
> SSH is setup to forward Kerberos tickets by using these options in
> /etc/ssh/ssh_config on the client:
>
> GSSAPIAuthentication yes
> GSSAPIDelegateCredentials yes
>
> This happens on a Debian Lenny system with openafs packages installed
> from backports.org in order to circumvent some kind of memory
> allocation error preventing the openafs kernel module from being loaded.
>
> Here's the list of installed openafs packages obtained via dpkg -l:
>
> ===
>
> ii libpam-afs-session 1.7-1 PAM module
> to set up a PAG and obtain AFS tokens
> ii openafs-client 1.4.11+dfsg-5~bpo50+1 AFS
> distributed filesystem client support
> ii openafs-krb5 1.4.11+dfsg-5~bpo50+1 AFS
> distributed filesystem Kerberos 5 integration
> ii openafs-modules-dkms 1.4.11+dfsg-5~bpo50+1 AFS
> distributed filesystem kernel module DKMS source
> ii openafs-modules-source 1.4.11+dfsg-5~bpo50+1 AFS
> distributed filesystem kernel module source
>
> ===
>
> My PAM config (I have a few "fallback" system accounts too, that's why
> pam_unix.so is mentioned):
>
> - /etc/pam.d/common-account
>
> ===
>
> account sufficient pam_unix.so
> account required pam_ldap.so minimum_uid=10000 debug
> account required pam_krb5.so minimum_uid=10000 ignore_root debug
>
> ===
>
> - /etc/pam.d/common-auth
>
> ===
>
> auth sufficient pam_unix.so nullok_secure
> auth sufficient pam_krb5.so use_first_pass minimum_uid=10000
> ignore_root debug
> auth optional pam_afs_session.so program=/usr/bin/aklog
> auth required pam_deny.so
>
> ===
>
> - /etc/pam.d/common-password
>
> ===
>
> password sufficient pam_unix.so nullok obscure md5
> password required pam_krb5.so use_first_pass minimum_uid=10000
> ignore_root debug
>
> ===
>
> - /etc/pam.d/common-session (I verified the path to aklog)
>
> ===
>
> session required pam_limits.so
> session required pam_unix.so
> session optional pam_krb5.so minimum_uid=10000 ignore_root debug
> session optional pam_afs_session.so program=/usr/bin/aklog debug
>
> ===
>
> Anything wrong with my PAM config?
>
> /var/log/auth.log tells me:
>
> ===
>
> Dec 10 10:50:33 pia sshd[15641]: (pam_krb5): hrauch: unable to get
> PAM_KRB5CCNAME, assuming non-Kerberos login
> Dec 10 10:50:33 pia sshd[15641]: (pam_krb5): none: pam_sm_setcred:
> exit (failure)
> Dec 10 10:50:33 pia sshd[15641]: (pam_afs_session):
> pam_sm_open_session: entry (0x0)
> Dec 10 10:50:33 pia sshd[15641]: (pam_afs_session): skipping tokens,
> no Kerberos ticket cache
> Dec 10 10:50:33 pia sshd[15641]: (pam_afs_session):
> pam_sm_open_session: exit (success)
>
> ===
>
> Now, the obvious question is: How can I tell sshd or pam_krb5.so about
> the ticket cache file?
>
> Thanks in advance for any help!
>
> Kind regards,
>
> Holger
>
--
Douglas E. Engert <DEEngert@anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444