[OpenAFS] AIX 5.3 and aklog_dynamic_auth fail

Remi Ferrand remi.ferrand@cc.in2p3.fr
Fri, 19 Jun 2009 11:17:16 +0200 

Hye everyone,

I'm working on AIX 5.3, with OpenAFS v1.4.10 / AIX NAS Kerberos 5.

My AFS cell is online and functionnal with Kerberos 5 (kinit + aklog OR
klog.krb5 works fine). I can obtain a Kerberos 5 ticket and extract an
AFS Token from it without any problem.

I'm now trying to obtain an AFS token as soon as I "ssh" into my AFS
client. 
I could find a ChangeLog saying that AIX LAM Module "aklog_dynamic_auth"
is now fully functionnal
(http://www.openafs.org/frameset/dl/openafs/1.4.10/ChangeLog ) and could
do this stuff.

The LAM compilation plugin went fine (no error).
When I re-start my SSH daemon, LAM plugin is correctly loaded.

However I still have the same error when an ssh connection is tried :

(from AFS AIX client machine)
Jun 19 11:09:59 ccdvrs03 auth|security:debug sshd[385070]: LAM aklog
loaded: uid 0 pag -1
Jun 19 11:09:59 ccdvrs03 auth|security:debug sshd[385070]: LAM aklog
starting: user testkrb5 uid 0
Jun 19 11:09:59 ccdvrs03 auth|security:err|error sshd[385070]: LAM
aklog: get_credv5 returns -1765328352
Jun 19 11:09:59 ccdvrs03 auth|security:info sshd[385070]: Failed
password for USERTEST from 134.158.71.108 port 48307 ssh2
Jun 19 11:09:59 ccdvrs03 auth|security:info syslog: ssh: failed login
attempt for USERTEST from YYYY.YYYYY.fr

(From my KDCs logs)
Jun 19 11:14:29 cckrb01.in2p3.fr krb5kdc[26295](info): TGS_REQ (1 etypes
{1}) 134.158.105.107: PROCESS_TGS: authtime 0,  <unknown client> for
afs/test.in2p3.fr@TEST.IN2P3.FR, Ticket expired
Jun 19 11:14:29 cckrb01.in2p3.fr krb5kdc[26295](info): TGS_REQ (1 etypes
{1}) 134.158.105.107: PROCESS_TGS: authtime 0,  <unknown client> for
afs/test.in2p3.fr@TEST.IN2P3.FR, Ticket expired

-----------------

OpenAFS is build with those steps ::

export CC="/bin/xlc"
export KRB5CFLAGS="-I/usr/include"
export KRB5LIBS="-lkrb5 -L/usr/krb5/lib"
export CFLAGS="-I/usr/include"
export LDFLAGS="-L/usr/krb5/lib"
./configure --enable-transarc-paths --with-krb5
make
make dest
sudo cp
rs_aix53/dest/root.client/usr/vice/etc/aklog_dynamic_auth /usr/lib/security/aklog_dynamic_auth

------------------

/etc/security/user file
USERTEST:
        admin = false
        SYSTEM = "AFSaklogfiles"
        registry = files

------------------

/usr/lib/security/methods.cfg file
AFSaklog:
        program = /usr/lib/security/aklog_dynamic_auth
        options = authonly

AFSaklogfiles:
        options = auth=AFSaklog,db=BUILTIN

------------------

Doest anybody have ever encounter this kind of error in the past ?
Is this error a standard exit code (can't find any information on that
exit code)

Thanks,

Remi


-- 
Remi Ferrand             | Institut National de Physique Nucleaire
Tel. +33(0)4.78.93.08.80 |     et de Physique des Particules
Fax. +33(0)4.72.69.41.70 | Centre de Calcul - http://cc.in2p3.fr/