[OpenAFS] How to replace pam_krb5 on RHEL 8 systems (fwd)
Stephan Wonczak
a0033@rrz.uni-koeln.de
Mon, 11 Jul 2022 11:13:12 +0200 (CEST)
This message is in MIME format. The first part should be readable text,
while the remaining parts are likely unreadable without MIME-aware tools.
--1602634645-648475257-1657528230=:81066
Content-Type: text/plain; CHARSET=UTF-8; format=flowed
Content-Transfer-Encoding: 8BIT
Content-ID: <1249e6b9-dd73-43d7-2ac6-26feca47c4@rrz.uni-koeln.de>
(resend without attachment - original Mail did not make it to the
list!)
Hi Jeffrey,
Thanks for having a look at the problem.
However, I obviously did not do a very good job detailing exactly what
we did ... so here's my next try. Warning: It is going to be lengthy :-)
First off: We do not use SSSD. And we would like to keep it that way, since
it caused various massive problems in the past.
On RHEL-7, everything works perfectly. We are using the RedHat-supplied RPM
of pam_krb5: pam_krb5-2.4.8-6.el7.x86_64
Looking at the debug-output of the module, this is what the relevant part
looks like:
Jul 8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: pam_unix(sshd:session):
session opened for user XXXX by (uid=0)
Jul 8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: pam_krb5[3197]:
default/local realm 'RRZ.UNI-KOELN.DE'
Jul 8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: pam_krb5[3197]: configured
realm 'RRZ.UNI-KOELN.DE'
Jul 8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: pam_krb5[3197]: flag: debug
Jul 8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: pam_krb5[3197]: flag: don't
always_allow_localname
Jul 8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: pam_krb5[3197]: flag: no
ignore_afs
Jul 8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: pam_krb5[3197]: flag: no
null_afs
Jul 8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: pam_krb5[3197]: flag: no
cred_session
Jul 8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: pam_krb5[3197]: flag: no
ignore_k5login
Jul 8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: pam_krb5[3197]: flag:
user_check
Jul 8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: pam_krb5[3197]: will try
previously set password first
Jul 8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: pam_krb5[3197]: will ask
for a password if that fails
Jul 8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: pam_krb5[3197]: will let
libkrb5 ask questions
Jul 8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: pam_krb5[3197]: flag:
use_shmem
Jul 8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: pam_krb5[3197]: flag:
external
Jul 8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: pam_krb5[3197]: flag: no
multiple_ccaches
Jul 8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: pam_krb5[3197]: flag:
validate
Jul 8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: pam_krb5[3197]: flag: warn
Jul 8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: pam_krb5[3197]: banner:
Kerberos 5
Jul 8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: pam_krb5[3197]: ccache dir:
/tmp
Jul 8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: pam_krb5[3197]: ccname
template: FILE:%d/krb5cc_%U_XXXXXX
Jul 8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: pam_krb5[3197]: keytab:
FILE:/etc/krb5.keytab
Jul 8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: pam_krb5[3197]: token
strategy: 2b
Jul 8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: pam_krb5[3197]: removing
shared memory segment 3 creator pid 3197
Jul 8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: pam_krb5[3197]: cleanup
function removing shared memory segment 3 belonging to process 3197
Jul 8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: pam_krb5[3197]: obtaining
afs tokens
Jul 8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: pam_krb5[3197]: creating
new PAG
Jul 8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: pam_krb5[3197]: obtaining
tokens for local cell 'rrz.uni-koeln.de'
Jul 8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: pam_krb5[3197]: trying with
ticket (2b)
Jul 8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: pam_krb5[3197]: attempting
to determine realm for "rrz.uni-koeln.de"
Jul 8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: pam_krb5[3197]: file server
for "/afs/rrz.uni-koeln.de" is 134.95.67.97
Jul 8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: pam_krb5[3197]: file server
for "/afs/rrz.uni-koeln.de" is 134.95.109.81
Jul 8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: pam_krb5[3197]: file server
for "/afs/rrz.uni-koeln.de" is 134.95.109.75
Jul 8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: pam_krb5[3197]: file server
for "/afs/rrz.uni-koeln.de" is 134.95.112.8
Jul 8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: pam_krb5[3197]: file server
134.95.67.97 has name afs.thp.uni-koeln.de
Jul 8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: pam_krb5[3197]:
afs.thp.uni-koeln.de is in realm "RRZ.UNI-KOELN.DE"
Jul 8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: pam_krb5[3197]: attempting
to obtain tokens for "rrz.uni-koeln.de"
("afs/rrz.uni-koeln.de@RRZ.UNI-KOELN.DE")
Jul 8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: pam_krb5[3197]: got tokens
for cell "rrz.uni-koeln.de"
Jul 8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: pam_krb5[3197]: no
additional afs cells configured
We then took the source PRM: pam_krb5-2.4.8-6.el7.src.rpm and did a rebuild
on a RHEL-8-Machine. This worked without any errors.
However, when we try to use this to get a token, this happens:
Jul 8 15:14:57 kicktest.rrz.uni-koeln.de sshd[2204130]:
pam_unix(sshd:session): session opened for user a0537 by (uid=0)
Jul 8 15:14:57 kicktest.rrz.uni-koeln.de sshd[2204130]: pam_krb5[2204130]:
default/local realm 'RRZ.UNI-KOELN.DE'
Jul 8 15:14:57 kicktest.rrz.uni-koeln.de sshd[2204130]: pam_krb5[2204130]:
configured realm 'RRZ.UNI-KOELN.DE'
Jul 8 15:14:57 kicktest.rrz.uni-koeln.de sshd[2204130]: pam_krb5[2204130]:
flag: debug
Jul 8 15:14:57 kicktest.rrz.uni-koeln.de sshd[2204130]: pam_krb5[2204130]:
flag: don't always_allow_localname
Jul 8 15:14:57 kicktest.rrz.uni-koeln.de sshd[2204130]: pam_krb5[2204130]:
flag: no ignore_afs
Jul 8 15:14:57 kicktest.rrz.uni-koeln.de sshd[2204130]: pam_krb5[2204130]:
flag: no null_afs
Jul 8 15:14:57 kicktest.rrz.uni-koeln.de sshd[2204130]: pam_krb5[2204130]:
flag: no cred_session
Jul 8 15:14:57 kicktest.rrz.uni-koeln.de sshd[2204130]: pam_krb5[2204130]:
flag: no ignore_k5login
Jul 8 15:14:57 kicktest.rrz.uni-koeln.de sshd[2204130]: pam_krb5[2204130]:
flag: user_check
Jul 8 15:14:57 kicktest.rrz.uni-koeln.de sshd[2204130]: pam_krb5[2204130]:
will try previously set password first
Jul 8 15:14:57 kicktest.rrz.uni-koeln.de sshd[2204130]: pam_krb5[2204130]:
will ask for a password if that fails
Jul 8 15:14:57 kicktest.rrz.uni-koeln.de sshd[2204130]: pam_krb5[2204130]:
will let libkrb5 ask questions
Jul 8 15:14:57 kicktest.rrz.uni-koeln.de sshd[2204130]: pam_krb5[2204130]:
flag: use_shmem
Jul 8 15:14:57 kicktest.rrz.uni-koeln.de sshd[2204130]: pam_krb5[2204130]:
flag: external
Jul 8 15:14:57 kicktest.rrz.uni-koeln.de sshd[2204130]: pam_krb5[2204130]:
flag: no multiple_ccaches
Jul 8 15:14:57 kicktest.rrz.uni-koeln.de sshd[2204130]: pam_krb5[2204130]:
flag: validate
Jul 8 15:14:57 kicktest.rrz.uni-koeln.de sshd[2204130]: pam_krb5[2204130]:
flag: warn
Jul 8 15:14:57 kicktest.rrz.uni-koeln.de sshd[2204130]: pam_krb5[2204130]:
banner: Kerberos 5
Jul 8 15:14:57 kicktest.rrz.uni-koeln.de sshd[2204130]: pam_krb5[2204130]:
ccache dir: /tmp
Jul 8 15:14:57 kicktest.rrz.uni-koeln.de sshd[2204130]: pam_krb5[2204130]:
ccname template: FILE:%d/krb5cc_%U_XXXXXX
Jul 8 15:14:57 kicktest.rrz.uni-koeln.de sshd[2204130]: pam_krb5[2204130]:
keytab: FILE:/etc/krb5.keytab
Jul 8 15:14:57 kicktest.rrz.uni-koeln.de sshd[2204130]: pam_krb5[2204130]:
token strategy: 2b
Jul 8 15:14:57 kicktest.rrz.uni-koeln.de sshd[2204130]: pam_krb5[2204130]:
removing shared memory segment 29 creator pid 2204130
Jul 8 15:14:57 kicktest.rrz.uni-koeln.de sshd[2204130]: pam_krb5[2204130]:
cleanup function removing shared memory segment 29 belonging to process 2204130
Jul 8 15:14:57 kicktest.rrz.uni-koeln.de sshd[2204130]: pam_krb5[2204130]:
obtaining afs tokens
Jul 8 15:14:57 kicktest.rrz.uni-koeln.de sshd[2204130]: pam_krb5[2204130]:
creating new PAG
Jul 8 15:14:57 kicktest.rrz.uni-koeln.de sshd[2204130]: pam_krb5[2204130]:
obtaining tokens for local cell 'rrz.uni-koeln.de'
Jul 8 15:14:57 kicktest.rrz.uni-koeln.de sshd[2204130]: pam_krb5[2204130]:
trying with ticket (2b)
Jul 8 15:14:57 kicktest.rrz.uni-koeln.de sshd[2204130]: pam_krb5[2204130]:
attempting to determine realm for "rrz.uni-koeln.de"
Jul 8 15:14:57 kicktest.rrz.uni-koeln.de sshd[2204130]: pam_krb5[2204130]:
file server for "/afs/rrz.uni-koeln.de" is 134.95.67.97
Jul 8 15:14:57 kicktest.rrz.uni-koeln.de sshd[2204130]: pam_krb5[2204130]:
file server for "/afs/rrz.uni-koeln.de" is 134.95.112.8
Jul 8 15:14:57 kicktest.rrz.uni-koeln.de sshd[2204130]: pam_krb5[2204130]:
file server for "/afs/rrz.uni-koeln.de" is 134.95.109.81
Jul 8 15:14:57 kicktest.rrz.uni-koeln.de sshd[2204130]: pam_krb5[2204130]:
file server for "/afs/rrz.uni-koeln.de" is 134.95.109.75
Jul 8 15:14:57 kicktest.rrz.uni-koeln.de sshd[2204130]: pam_krb5[2204130]:
file server 134.95.67.97 has name afs.thp.uni-koeln.de
Jul 8 15:14:57 kicktest.rrz.uni-koeln.de sshd[2204130]: pam_krb5[2204130]:
afs.thp.uni-koeln.de is in realm "RRZ.UNI-KOELN.DE"
Jul 8 15:14:57 kicktest.rrz.uni-koeln.de sshd[2204130]: pam_krb5[2204130]:
attempting to obtain tokens for "rrz.uni-koeln.de"
("afs/rrz.uni-koeln.de@RRZ.UNI-KOELN.DE")
Jul 8 15:14:57 kicktest.rrz.uni-koeln.de sshd[2204130]: pam_krb5[2204130]:
error obtaining credentials for 'afs/rrz.uni-koeln.de@RRZ.UNI-KOELN.DE'
(enctype=1) on behalf of 'a0537@RRZ.UNI-KOELN.DE': No credentia
ls found with supported encryption types
Jul 8 15:14:57 kicktest.rrz.uni-koeln.de sshd[2204130]: pam_krb5[2204130]:
error obtaining credentials for 'afs/rrz.uni-koeln.de@RRZ.UNI-KOELN.DE'
(enctype=2) on behalf of 'a0537@RRZ.UNI-KOELN.DE': No credentia
ls found with supported encryption types
Jul 8 15:14:57 kicktest.rrz.uni-koeln.de sshd[2204130]: pam_krb5[2204130]:
error obtaining credentials for 'afs/rrz.uni-koeln.de@RRZ.UNI-KOELN.DE'
(enctype=3) on behalf of 'a0537@RRZ.UNI-KOELN.DE': No credentia
ls found with supported encryption types
Jul 8 15:14:57 kicktest.rrz.uni-koeln.de sshd[2204130]: pam_krb5[2204130]:
attempting to obtain tokens for "rrz.uni-koeln.de" ("afs@RRZ.UNI-KOELN.DE")
Jul 8 15:14:57 kicktest.rrz.uni-koeln.de sshd[2204130]: pam_krb5[2204130]:
error obtaining credentials for 'afs@RRZ.UNI-KOELN.DE' (enctype=1) on behalf of
'a0537@RRZ.UNI-KOELN.DE': No credentials found with supported encryption types
Jul 8 15:14:57 kicktest.rrz.uni-koeln.de sshd[2204130]: pam_krb5[2204130]:
error obtaining credentials for 'afs@RRZ.UNI-KOELN.DE' (enctype=2) on behalf of
'a0537@RRZ.UNI-KOELN.DE': No credentials found with supported encryption types
Jul 8 15:14:57 kicktest.rrz.uni-koeln.de sshd[2204130]: pam_krb5[2204130]:
error obtaining credentials for 'afs@RRZ.UNI-KOELN.DE' (enctype=3) on behalf of
'a0537@RRZ.UNI-KOELN.DE': No credentials found with supported encryption types
Jul 8 15:14:57 kicktest.rrz.uni-koeln.de sshd[2204130]: pam_krb5[2204130]:
attempting to obtain tokens for "rrz.uni-koeln.de"
("afsx/rrz.uni-koeln.de@RRZ.UNI-KOELN.DE")
Jul 8 15:14:57 kicktest.rrz.uni-koeln.de sshd[2204130]: pam_krb5[2204130]:
error obtaining credentials for 'afsx/rrz.uni-koeln.de@RRZ.UNI-KOELN.DE'
(enctype=1) on behalf of 'a0537@RRZ.UNI-KOELN.DE': No credentials found with
supported encryption types
Jul 8 15:14:57 kicktest.rrz.uni-koeln.de sshd[2204130]: pam_krb5[2204130]:
error obtaining credentials for 'afsx/rrz.uni-koeln.de@RRZ.UNI-KOELN.DE'
(enctype=2) on behalf of 'a0537@RRZ.UNI-KOELN.DE': No credentials found with
supported encryption types
Jul 8 15:14:57 kicktest.rrz.uni-koeln.de sshd[2204130]: pam_krb5[2204130]:
error obtaining credentials for 'afsx/rrz.uni-koeln.de@RRZ.UNI-KOELN.DE'
(enctype=3) on behalf of 'a0537@RRZ.UNI-KOELN.DE': No credentials found with
supported encryption types
Jul 8 15:14:57 kicktest.rrz.uni-koeln.de sshd[2204130]: pam_krb5[2204130]:
attempting to obtain tokens for "rrz.uni-koeln.de" ("afsx@RRZ.UNI-KOELN.DE")
Jul 8 15:14:57 kicktest.rrz.uni-koeln.de sshd[2204130]: pam_krb5[2204130]:
error obtaining credentials for 'afsx@RRZ.UNI-KOELN.DE' (enctype=1) on behalf
of 'a0537@RRZ.UNI-KOELN.DE': No credentials found with supported encryption
types
Jul 8 15:14:57 kicktest.rrz.uni-koeln.de sshd[2204130]: pam_krb5[2204130]:
error obtaining credentials for 'afsx@RRZ.UNI-KOELN.DE' (enctype=2) on behalf
of 'a0537@RRZ.UNI-KOELN.DE': No credentials found with supported encryption
types
Jul 8 15:14:57 kicktest.rrz.uni-koeln.de sshd[2204130]: pam_krb5[2204130]:
error obtaining credentials for 'afsx@RRZ.UNI-KOELN.DE' (enctype=3) on behalf
of 'a0537@RRZ.UNI-KOELN.DE': No credentials found with supported encryption
types
Jul 8 15:14:57 kicktest.rrz.uni-koeln.de sshd[2204130]: pam_krb5[2204130]:
afslog (2b) failed to "rrz.uni-koeln.de"
Jul 8 15:14:57 kicktest.rrz.uni-koeln.de sshd[2204130]: pam_krb5[2204130]: got
error -1 (Unknown code ____ 255) while obtaining tokens for rrz.uni-koeln.de
Jul 8 15:14:57 kicktest.rrz.uni-koeln.de sshd[2204130]: pam_krb5[2204130]: no
additional afs cells configured
To reiterate: We get both kerberos ticket and AFS-Token on RHEL-7. On RHEL-8,
we still get a valid kerberos ticket, but getting the AFS-Token fails. It -is-
possible, however, to get a valid AFS-Token by klog.krb5. So -in principle-
everything is in place to have this done by pam_afs.
The problem is: I have no way to determine why it is complaining about "no
supported encryption types" when other tools have no problems at all!
Additional infO. Yes, we did rekey our AFS-cell quite a while ago, and our
afs-Principal has two keys:
kadmin.local: getprinc afs/rrz.uni-koeln.de
Principal: afs/rrz.uni-koeln.de@RRZ.UNI-KOELN.DE
<snip>
Anzahl der Schlüssel: 2
Key: vno 5, aes256-cts-hmac-sha1-96
Key: vno 4, des-cbc-crc
MKey: vno 1
Attribute: REQUIRES_PRE_AUTH
Richtlinie: [keins]
Our users have three:
kadmin.local: getprinc XXXX
Principal: XXXX@RRZ.UNI-KOELN.DE
<snip>
Anzahl der Schlüssel: 3
Key: vno 2, aes256-cts-hmac-sha1-96
Key: vno 2, des-cbc-crc
Key: vno 2, des-cbc-md5:afs3
MKey: vno 1
Attribute: REQUIRES_PRE_AUTH
Richtlinie: [keins]
Like I said before, I looked at the sources of our version of pam_krb5, and
the part where it is failing starts at line 775 inside the function
"minikafs_5log_with_principal" (I'll attach the minikafs.c to this mail for
reference)
/* Try to obtain a suitable credential. */
for (i = 0; i < n_etypes; i++) {
memset(&mcreds, 0, sizeof(mcreds));
mcreds.client = client;
mcreds.server = server;
if (etypes != NULL) {
v5_creds_set_etype(ctx, &mcreds, etypes[i]);
}
new_creds = NULL;
tmp = krb5_get_credentials(ctx, 0, ccache,
&mcreds, &new_creds);
if (tmp == 0) {
if (use_rxk5 &&
(minikafs_5settoken2(cell, new_creds, uid) == 0)) {
krb5_free_creds(ctx, new_creds);
v5_free_unparsed_name(ctx, unparsed_client);
krb5_free_principal(ctx, client);
krb5_free_principal(ctx, server);
return 0;
} else
if (use_v5_2b &&
(minikafs_5settoken(cell, new_creds, uid) == 0)) {
krb5_free_creds(ctx, new_creds);
v5_free_unparsed_name(ctx,
unparsed_client);
krb5_free_principal(ctx, client);
krb5_free_principal(ctx, server);
return 0;
}
krb5_free_creds(ctx, new_creds);
} else {
if (options->debug) {
if (etypes != NULL) {
debug("error obtaining credentials for
"
"'%s' (enctype=%d) on behalf of "
"'%s': %s",
principal, etypes[i],
unparsed_client,
v5_error_message(tmp));
} else {
debug("error obtaining credentials for
"
"'%s' on behalf of "
"'%s': %s",
principal,
unparsed_client,
v5_error_message(tmp));
}
}
}
}
v5_free_unparsed_name(ctx, unparsed_client);
krb5_free_principal(ctx, client);
krb5_free_principal(ctx, server);
If you or anyone else has any ideas how to tackle the problem, any help would
be greatly appreciated.
Cheers from Cologne,
Stephan Wonczak
On Fri, 8 Jul 2022, Jeffrey E Altman wrote:
>
> Sounds like the version of pam_krb5 you are attempting to build does not
> include support for rxkad-kdf.
>
> https://lists.openafs.org/pipermail/afs3-standardization/2013-July/002738.h
> tml
>
> The version of pam_krb5 that supports rxkad-kdf contains a
> minikafs_kd_derive() function at minikafs.c line 775.
>
> See https://github.com/frozencemetery/pam_krb5.
>
> As mentioned in my prior reply pam_krb5 should not be used in conjunction
> with sssd.
>
> Jeffrey Altman
>
> On 7/8/2022 8:35 AM, Stephan Wonczak (a0033@rrz.uni-koeln.de) wrote:
> Hi everyone!
> (Berthold's colleague here)
>
> We dug a little deeper and found the part in the
> pam_krb5-sources where it fails. It is in the file "minikafs.c"
> starting in line 775. It looks like the call to
> krb5_get_credentials() gets a non-zero return value, thus making
> it bail out.
> The problem is that we (well, at least me!) have no idea which
> enctype is expected, and which enctypes are actually tried.
> Debug output is not too helpful here. Any ideas on how to get
> useful information?
> (I should mention I am waaay out of depth here with my
> knowledge of Kerberos, and my C-fu is severely lacking, too ;-)
> )
>
> To be absolutley clear: We can ssh-login to the machine
> running this pam_krb.so-module, and get a valid krb5-ticket. No
> AFS-token after login, thus no access to AFS. If I do
> "klog.krb5", I -do- get an AFS-Token without any issues, and
> AFS-access starts working as it should.
> It's maddening that only pam_krb5 complains, while other tools
> work out of the box.
>
> Any advice would be greatly appreciated!
>
> Stephan
>
> On Fri, 8 Jul 2022, Berthold Cogel wrote:
>
> Am 07.07.22 um 19:04 schrieb Dirk Heinrichs:
> Benjamin Kaduk:
>
> Are you aware of
> pam_afs_session
> (https://github.com/rra/pam-afs-session)?
> Without knowing more about
> what you're using pam_krb5
> for it's hard to make
> specific suggestions
> about what alternatives
> might exist.
>
>
> BTW: pam_krb5 != pam_krb5. There are
> two different modules with the same
> name out there. The one shipped with
> RedHat family distributions comes
> with integrated AFS support, while the
> one shipped with Debian family
> distributions doesn't. That's the
> reason why Debian also ships
> pam_afs_session and RH does not.
>
> Bye...
>
> Dirk
>
>
> We're using the pam_krb5 shipped with Red Hat.
>
> I've rebuild the module from the RHEL 7 source rpm
> on RHEL 8. And it seems to work.... for some value
> of working....
>
> Supported enctypes in our kdc:
> aes256-cts-hmac-sha1-96:normal des-cbc-crc:normal
> des:afs3
>
> We 'rekeyed' our AFS environment with
> aes256-cts-hmac-sha1-96:normal to get connections
> from newer Ubuntu/Debian and Fedora 35 working.
>
> We get a krb5 ticket and a login, but getting the
> AFS token gives errors:
>
> "error obtaining credentials for
> 'afs/rrz.uni-koeln.de@RRZ.UNI-KOELN.DE' (enctype=1)
> on behalf of ....: No credentials found with
> supported encryption types"
>
> Same for two other enctypes.
>
> So something else changed in RHEL 8, which we
> haven't found yet.
>
>
> Regards
> Berthold
> _______________________________________________
> OpenAFS-info mailing list
> OpenAFS-info@openafs.org
> https://lists.openafs.org/mailman/listinfo/openafs-info
>
>
> Dipl. Chem. Dr. Stephan Wonczak
>
> Regionales Rechenzentrum der Universitaet zu Koeln
> (RRZK)
> Universitaet zu Koeln, Weyertal 121, 50931 Koeln
> Tel: +49/(0)221/470-89583, Fax: +49/(0)221/470-89625
>
>
>
Dipl. Chem. Dr. Stephan Wonczak
Regionales Rechenzentrum der Universitaet zu Koeln (RRZK)
Universitaet zu Koeln, Weyertal 121, 50931 Koeln
Tel: +49/(0)221/470-89583, Fax: +49/(0)221/470-89625
--1602634645-648475257-1657528230=:81066--