Another problem RE: [OpenAFS-devel] pam_gssklog on solaris9
Rong,Yongjun(CS)
rong@cs.ttu.edu
Thu, 24 Jun 2004 14:34:58 -0500
Hi, I have another problem when I trying to run pam_krb5 and pam_gssklog
with pam_unix.
when config my dtlogin in pam.conf in solaris 9 box as below:
dtlogin auth requisite pam_authtok_get.so.1 debug
dtlogin auth required pam_dhkeys.so.1 debug
dtlogin auth required pam_krb5.so debug forwardable realmm=TTU.EDU
use_first_pass
dtlogin auth optional pam_gssklog.so.1 debug
The pam_gssklog is working fine and pam_sm_setcred was called. It can run
gssklog crrectly and get FAS tokens.
But if I add pam_unix_auth.so.1 before pam_krb5.so as below:
dtlogin auth requisite pam_authtok_get.so.1 debug
dtlogin auth required pam_dhkeys.so.1 debug
dtlogin auth sufficient pam_unix_auth.so.1 debug use_first_pass
dtlogin auth required pam_krb5.so debug forwardable realmm=TTU.EDU
use_first_pass
dtlogin auth optional pam_gssklog.so.1 debug
The pam_sm_setcred in pam_gssklog was not called. So it cannot run gssklog
to get AFS tokens. pam_sm_authenticate in pam_gssklog was called. If I
adjusted the order of the pam-unix as below:
dtlogin auth requisite pam_authtok_get.so.1 debug
dtlogin auth required pam_dhkeys.so.1 debug
dtlogin auth optional pam_krb5.so debug forwardable realmm=TTU.EDU
use_first_pass
dtlogin auth sufficient pam_gssklog.so.1 debug
dtlogin auth required pam_unix_auth.so.1 debug use_first_pass
It still has the same result. pam_sm_setcred was not called.
What I want is just combine the general Unix authication with the kerberos
authication. When one authentication is failed, the system will try another
one. If one is successed, it will pass.
Another qestion: Is it possible to move gssklog running to
pam_sm_open_session like pam_openafs_session for aklog?
Any suggestions? Thanks.
Rong
-----Original Message-----
From: openafs-devel-admin@openafs.org
[mailto:openafs-devel-admin@openafs.org]On Behalf Of Rong,Yongjun(CS)
Sent: Tuesday, June 15, 2004 4:36 PM
To: rong@cs.ttu.edu; Douglas E. Engert
Cc: openafs-devel@openafs.org
Subject: Solutions RE: [OpenAFS-devel] pam_gssklog on solaris9
Hi,
I have figured out the problem. For solaris, I added "#define
TARGET_ARCH_SOLARIS" and change gssklog_exec = "/usr/bin/gssklog" in
gssklog_pag_klog.c and recompile pam_gssklog.so.1. Then it works. PLS make
sure the gssklog_exec is the path to your gssklog file, not the directory.
That's all.
Thanks again for everyone's help.
Rong
-----Original Message-----
From: openafs-devel-admin@openafs.org
[mailto:openafs-devel-admin@openafs.org]On Behalf Of rong@cs.ttu.edu
Sent: Monday, June 14, 2004 8:57 PM
To: Douglas E. Engert
Cc: openafs-devel@openafs.org
Subject: Re: [OpenAFS-devel] pam_gssklog on solaris9
I have changed it to /usr/bin and recompiled it. I put my gssklog in
/usr/bin. But it still has the same error. I can run it manully without
any problem. The env has correct krb5 ticket cache file.
>
>
> "Rong,Yongjun(CS)" wrote:
>
>> Hi,
>> The execle(gssklog_exec, "gssklog","-silent",0,env) in
>> gssklog_pag_klog
>> has benn called. But it returns errno= 13 which means permission denied.
>> I
>> have checked the permission of the gssklog and pam_gssklog.so.1. All are
>> 755. I can run gssklog manully via command line. But the pam_gssklog.so
>> cannot call gssklog via execle.
>
> gssklog_exec is the path of the gssklog. It defaults to /krb5/bin/gssklog
> If this is not the location, you will have to recompile or move it. Its on
> my to-do list
> to make this a parameter. (actually replace the gssklog_pag_klog.c with
> the
> routines used by ssh.)
>
>>
>> Anyone has any suggestions?
>> Thanks.
>> Rong
>>
>> -----Original Message-----
>> From: openafs-devel-admin@openafs.org
>> [mailto:openafs-devel-admin@openafs.org]On Behalf Of Rong,Yongjun(CS)
>> Sent: Monday, June 14, 2004 2:35 PM
>> To: openafs-devel@openafs.org
>> Subject: RE: [OpenAFS-devel] pam_gssklog on solaris9
>>
>> I have got the pam_sm_setcred called when a user login. But pam_gss_klog
>> seems cannot call gssklog_pag_klog function.
>> I got below debug information before gssklog_pag_klog be called:
>> Jun 14 14:26:27 tset dtlogin[7216]: [ID 868606 user.debug] pam_gssklog:
>> env=KRB5CCNAME=FILE:/tmp/krb5cc_2079_X7aago
>> Jun 14 14:26:27 tset dtlogin[7216]: [ID 868606 user.debug] pam_gssklog:
>> set_pag=1
>>
>> I have checked the /tmp/krb5cc_2079_X7aago is correct. But it seems
>> gssklog_pag_klog is not called even there is a function call from
>> pam_gssklog as below:
>> gssklog_pag_klog(set_pag, env);
>> I have put some debug inside the hssklog_pag_klog.c, but no any
>> information
>> was print.
>> Thanks for your suggestions.
>> Rong
>>
>> -----Original Message-----
>> From: openafs-devel-admin@openafs.org
>> [mailto:openafs-devel-admin@openafs.org]On Behalf Of Rong,Yongjun(CS)
>> Sent: Thursday, June 10, 2004 5:02 PM
>> To: Rong,Yongjun(CS); openafs-devel@openafs.org
>> Subject: RE: [OpenAFS-devel] pam_gssklog on solaris9
>>
>> I have got pam_sm_setcred called by PAM framework after I changed my
>> pam.conf as below:
>> dtlogin auth requisite pam_authtok_get.so.1 debug
>> #dtlogin auth required pam_dhkeys.so.1 debug
>> #dtlogin auth sufficient pam_unix_auth.so.1 debug use_first_pass
>> dtlogin auth required pam_krb5.so debug forwardable
>> realmm=TTU.EDU
>> use_first_pass
>> dtlogin auth required pam_gssklog.so.1 debug
>>
>> -----Original Message-----
>> From: openafs-devel-admin@openafs.org
>> [mailto:openafs-devel-admin@openafs.org]On Behalf Of Rong,Yongjun(CS)
>> Sent: Thursday, June 10, 2004 3:51 PM
>> To: openafs-devel@openafs.org
>> Subject: [OpenAFS-devel] pam_gssklog on solaris9
>>
>> Hi, All,
>> I have another problem for the pam_gssklog. It seems the
>> pam_sm_setcred
>> cannot be called during the process of login. My pam.conf for dtlogin is
>> as
>> below:
>>
>> dtlogin auth requisite pam_authtok_get.so.1 debug
>> dtlogin auth required pam_dhkeys.so.1 debug
>> dtlogin auth sufficient pam_unix_auth.so.1 debug use_first_pass
>> dtlogin auth optional pam_krb5.so debug forwardable
>> realmm=TTU.EDU
>> use_first_pass
>> dtlogin auth optional pam_gssklog.so.1 debug
>>
>> pam_kr5b.so is work fine. After the user login, I can klist the tickets.
>> But
>> the pam_gssklog is not work well. From the debug information, the
>> pam_sm_setcred is not be called.
>> Any suggestions, Thanks in advanced.
>> Rong
>>
>> _______________________________________________
>> OpenAFS-devel mailing list
>> OpenAFS-devel@openafs.org
>> https://lists.openafs.org/mailman/listinfo/openafs-devel
>>
>> _______________________________________________
>> OpenAFS-devel mailing list
>> OpenAFS-devel@openafs.org
>> https://lists.openafs.org/mailman/listinfo/openafs-devel
>>
>> _______________________________________________
>> OpenAFS-devel mailing list
>> OpenAFS-devel@openafs.org
>> https://lists.openafs.org/mailman/listinfo/openafs-devel
>>
>> _______________________________________________
>> OpenAFS-devel mailing list
>> OpenAFS-devel@openafs.org
>> https://lists.openafs.org/mailman/listinfo/openafs-devel
>
> --
>
> Douglas E. Engert <DEEngert@anl.gov>
> Argonne National Laboratory
> 9700 South Cass Avenue
> Argonne, Illinois 60439
> (630) 252-5444
>
>
> _______________________________________________
> OpenAFS-devel mailing list
> OpenAFS-devel@openafs.org
> https://lists.openafs.org/mailman/listinfo/openafs-devel
>
_______________________________________________
OpenAFS-devel mailing list
OpenAFS-devel@openafs.org
https://lists.openafs.org/mailman/listinfo/openafs-devel
_______________________________________________
OpenAFS-devel mailing list
OpenAFS-devel@openafs.org
https://lists.openafs.org/mailman/listinfo/openafs-devel