[OpenAFS] pam_afs_session.so is unable to find Kerberos ticket cache file

Holger Rauch holger.rauch@empic.de
Thu, 10 Dec 2009 21:26:47 +0100 

--mYCpIKhGyMATD0i+
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

Hi Douglas,

thanks for pointing this out. Indeed, that was the problem. What I
don't understand is that even though I have

forwardable =3D true

in both pam and kinit sections within [appdefaults] in my
/etc/krb5.conf, I still have to explicitly specify "kinit -f" in order
to get forwardable tickets. Any idea why? (I admit that this is sort
of OT and no really OpenAFS but rather Kerberos related).

Thanks a lot & kind regards,

       Holger

On Thu, 10 Dec 2009, Douglas E. Engert wrote:

> Are your tickets on the ssh client forwardable? They need to be for the
> GSSAPIDelegateCredentials yes to work.
>=20
> Holger Rauch wrote:
> >Hi to everybody,
> >
> >The problem I got is that interactive kinit/aklog combos work
> >perfectly, but when I try to log in remotely via ssh, the passwordless
> >login itself works, but a cd to my home dir doesn't occur because
> >pam_afs_session.so is either not considered or doesn't call aklog. The
> >exact error messages read as follows:
> >
> >Could not chdir to home directory /export/home/people/hrauch: Permission=
 denied
> >-bash: /export/home/people/hrauch/.bash_profile: Permission denied
> >
> >As it is now, I have to manully invoke kinit && aklog in order to be
> >able to successfully cd to my home dir. That's exactly what I wanted
> >to avoid.
> >
> >I googled but found only the hint that one needs to include
> >pam_afs_session.so in the PAM session config, which I did.
> >
> >The above implies that LDAP setup (used for POSIX account info)
> >and MIT Kerberos setup (for password maintenance) are configured
> >correctly.
> >SSH is setup to forward Kerberos tickets by using these options in
> >/etc/ssh/ssh_config on the client:
> >
> >GSSAPIAuthentication yes
> >GSSAPIDelegateCredentials yes
> >
> >This happens on a Debian Lenny system with openafs packages installed
> >from backports.org in order to circumvent some kind of memory
> >allocation error preventing the openafs kernel module from being loaded.
> >
> >Here's the list of installed openafs packages obtained via dpkg -l:
> >
> >=3D=3D=3D
> >
> >ii  libpam-afs-session         1.7-1                      PAM module
> >to set up a PAG and obtain AFS tokens
> >ii  openafs-client             1.4.11+dfsg-5~bpo50+1      AFS
> >distributed filesystem client support
> >ii  openafs-krb5               1.4.11+dfsg-5~bpo50+1      AFS
> >distributed filesystem Kerberos 5 integration
> >ii  openafs-modules-dkms       1.4.11+dfsg-5~bpo50+1      AFS
> >distributed filesystem kernel module DKMS source
> >ii  openafs-modules-source     1.4.11+dfsg-5~bpo50+1      AFS
> >distributed filesystem kernel module source
> >
> >=3D=3D=3D
> >
> >My PAM config (I have a few "fallback" system accounts too, that's why
> >pam_unix.so is mentioned):
> >
> >- /etc/pam.d/common-account
> >
> >=3D=3D=3D
> >
> >account sufficient      pam_unix.so
> >account required        pam_ldap.so minimum_uid=3D10000 debug
> >account required        pam_krb5.so minimum_uid=3D10000 ignore_root debug
> >
> >=3D=3D=3D
> >
> >- /etc/pam.d/common-auth
> >
> >=3D=3D=3D
> >
> >auth    sufficient        pam_unix.so nullok_secure
> >auth    sufficient        pam_krb5.so use_first_pass minimum_uid=3D10000
> >ignore_root debug
> >auth    optional          pam_afs_session.so program=3D/usr/bin/aklog
> >auth    required          pam_deny.so
> >
> >=3D=3D=3D
> >
> >- /etc/pam.d/common-password
> >
> >=3D=3D=3D
> >
> >password sufficient   pam_unix.so nullok obscure md5
> >password required pam_krb5.so use_first_pass minimum_uid=3D10000
> >ignore_root debug
> >
> >=3D=3D=3D
> >
> >- /etc/pam.d/common-session (I verified the path to aklog)
> >
> >=3D=3D=3D
> >
> >session required        pam_limits.so
> >session required        pam_unix.so
> >session  optional  pam_krb5.so minimum_uid=3D10000 ignore_root debug
> >session optional pam_afs_session.so program=3D/usr/bin/aklog debug
> >
> >=3D=3D=3D
> >
> >Anything wrong with my PAM config?
> >
> >/var/log/auth.log tells me:
> >
> >=3D=3D=3D
> >
> >Dec 10 10:50:33 pia sshd[15641]: (pam_krb5): hrauch: unable to get
> >PAM_KRB5CCNAME, assuming non-Kerberos login
> >Dec 10 10:50:33 pia sshd[15641]: (pam_krb5): none: pam_sm_setcred:
> >exit (failure)
> >Dec 10 10:50:33 pia sshd[15641]: (pam_afs_session):
> >pam_sm_open_session: entry (0x0)
> >Dec 10 10:50:33 pia sshd[15641]: (pam_afs_session): skipping tokens,
> >no Kerberos ticket cache
> >Dec 10 10:50:33 pia sshd[15641]: (pam_afs_session):
> >pam_sm_open_session: exit (success)
> >
> >=3D=3D=3D
> >
> >Now, the obvious question is: How can I tell sshd or pam_krb5.so about
> >the ticket cache file?
> >
> >Thanks in advance for any help!
> >
> >Kind regards,
> >
> >     Holger
>=20
> --=20
>=20
>  Douglas E. Engert  <DEEngert@anl.gov>
>  Argonne National Laboratory
>  9700 South Cass Avenue
>  Argonne, Illinois  60439
>  (630) 252-5444
--
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
Holger Rauch
Entwicklung Anwendungs-Software
Systemadministration UNIX

Tel.: +49 / 9131 / 877 - 141
Fax: +49 / 9131 / 877 - 266
Email: Holger.Rauch@empic.de
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D

--mYCpIKhGyMATD0i+
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAkshWYcACgkQbiVtWpZdKQJMyQCdFay6WR1Jkg+P0Gqd88QJMbcz
L6AAnjlA2nN8UutRqNkKoKH2frZQPYwZ
=+TOO
-----END PGP SIGNATURE-----

--mYCpIKhGyMATD0i+--