Another problem RE: [OpenAFS-devel] pam_gssklog on solaris9

Rong,Yongjun(CS) rong@cs.ttu.edu
Mon, 28 Jun 2004 16:46:28 -0500


Below is the information I extracted from the "man pam.conf"
sufficient
           If the service module return success and no  preceding
           required modules returned failures, immediately return
           success without calling any subsequent modules.  If  a
           failure  is returned, treat the failure as an optional
           module failure, and continue to process the PAM stack.
I also tried as you said. But it can only login as kerberos principal and it
cannot get afs tokens.
When I tried the general unix user who don't has kerberos principal. It
cannot login.

-----Original Message-----
From: openafs-devel-admin@openafs.org
[mailto:openafs-devel-admin@openafs.org]On Behalf Of Douglas E. Engert
Sent: Monday, June 28, 2004 10:10 AM
To: Rong,Yongjun(CS)
Cc: openafs-devel@openafs.org
Subject: Re: Another problem RE: [OpenAFS-devel] pam_gssklog on solaris9




"Rong,Yongjun(CS)" wrote:
>
> Hi, I have another problem when I trying to run pam_krb5 and pam_gssklog
> with pam_unix.
> when config my dtlogin in pam.conf in solaris 9 box as below:
>
> dtlogin   auth requisite          pam_authtok_get.so.1 debug
> dtlogin   auth required           pam_dhkeys.so.1 debug
> dtlogin   auth    required      pam_krb5.so debug forwardable
realmm=TTU.EDU
> use_first_pass
> dtlogin   auth     optional       pam_gssklog.so.1 debug
>
> The pam_gssklog is working fine and pam_sm_setcred was called. It can run
> gssklog crrectly and get FAS tokens.
> But if I add pam_unix_auth.so.1 before pam_krb5.so as below:
>
> dtlogin   auth requisite          pam_authtok_get.so.1 debug
> dtlogin   auth required           pam_dhkeys.so.1 debug
> dtlogin   auth   sufficient    pam_unix_auth.so.1 debug use_first_pass
> dtlogin   auth    required      pam_krb5.so debug forwardable
realmm=TTU.EDU
> use_first_pass
> dtlogin   auth     optional       pam_gssklog.so.1 debug
>
> The pam_sm_setcred in pam_gssklog was not called. So it cannot run gssklog
> to get AFS tokens. pam_sm_authenticate in pam_gssklog was called. If I
> adjusted the order of the pam-unix as below:
>
> dtlogin   auth requisite          pam_authtok_get.so.1 debug
> dtlogin   auth required           pam_dhkeys.so.1 debug
> dtlogin   auth    optional      pam_krb5.so debug forwardable
realmm=TTU.EDU
> use_first_pass
> dtlogin   auth     sufficient       pam_gssklog.so.1 debug
> dtlogin   auth   required    pam_unix_auth.so.1 debug use_first_pass
>
> It still has the same result. pam_sm_setcred was not called.

This looks like it is a PAM config problem. On Solaris 9
I would try:

 dtlogin   auth requisite          pam_authtok_get.so.1 debug
 dtlogin   auth required           pam_dhkeys.so.1 debug
 dtlogin   auth sufficient         pam_krb5.so debug forwardable
realmm=TTU.EDU
 dtlogin   auth optional           pam_gssklog.so.1 debug
 dtlogin   auth required           pam_unix_auth.so.1 debug use_first_pass

And if this does not work, try required for the gssklog

>
> What I want is just combine the general Unix authication with the kerberos
> authication. When one authentication is failed, the system will try
another
> one. If one is successed, it will pass.
> Another qestion: Is it possible to move gssklog running to
> pam_sm_open_session like pam_openafs_session for aklog?

You would have to make some changes to the code to support the session code.
In effect the pam_gssklog is trying to find the Kerberos ticket cache
and call gssklog. Depending on how important it is to have a token during
the rest of the PAM processing, you might be able to call it later.

The other option is have the pam_krb5 call gssklog_pag_klog.


P.S. Your examples above use "realmm" should that be "realm"?

>
> Any suggestions? Thanks.
> Rong
>
> -----Original Message-----
> From: openafs-devel-admin@openafs.org
> [mailto:openafs-devel-admin@openafs.org]On Behalf Of Rong,Yongjun(CS)
> Sent: Tuesday, June 15, 2004 4:36 PM
> To: rong@cs.ttu.edu; Douglas E. Engert
> Cc: openafs-devel@openafs.org
> Subject: Solutions RE: [OpenAFS-devel] pam_gssklog on solaris9
>
> Hi,
>   I have figured out the problem. For solaris, I added  "#define
> TARGET_ARCH_SOLARIS"  and change gssklog_exec = "/usr/bin/gssklog" in
> gssklog_pag_klog.c and recompile pam_gssklog.so.1. Then it works. PLS make
> sure the gssklog_exec is the path to your gssklog file, not the directory.
>   That's all.
>   Thanks again for everyone's help.
>   Rong
>
> -----Original Message-----
> From: openafs-devel-admin@openafs.org
> [mailto:openafs-devel-admin@openafs.org]On Behalf Of rong@cs.ttu.edu
> Sent: Monday, June 14, 2004 8:57 PM
> To: Douglas E. Engert
> Cc: openafs-devel@openafs.org
> Subject: Re: [OpenAFS-devel] pam_gssklog on solaris9
>
> I have changed it to /usr/bin and recompiled it. I put my gssklog in
> /usr/bin. But it still has the same error. I can run it manully without
> any problem. The env has correct krb5 ticket cache file.
> >
> >
> > "Rong,Yongjun(CS)" wrote:
> >
> >> Hi,
> >>   The execle(gssklog_exec, "gssklog","-silent",0,env) in
> >> gssklog_pag_klog
> >> has benn called. But it returns errno= 13 which means permission
denied.
> >> I
> >> have checked the permission of the gssklog and pam_gssklog.so.1. All
are
> >> 755. I can run gssklog manully via command line. But the pam_gssklog.so
> >> cannot call gssklog via execle.
> >
> > gssklog_exec is the path of the gssklog. It defaults to
/krb5/bin/gssklog
> > If this is not the location, you will have to recompile or move it. Its
on
> > my to-do list
> > to make this a parameter. (actually replace the gssklog_pag_klog.c with
> > the
> > routines used by ssh.)
> >
> >>
> >>   Anyone has any suggestions?
> >>   Thanks.
> >>   Rong
> >>
> >> -----Original Message-----
> >> From: openafs-devel-admin@openafs.org
> >> [mailto:openafs-devel-admin@openafs.org]On Behalf Of Rong,Yongjun(CS)
> >> Sent: Monday, June 14, 2004 2:35 PM
> >> To: openafs-devel@openafs.org
> >> Subject: RE: [OpenAFS-devel] pam_gssklog on solaris9
> >>
> >> I have got the pam_sm_setcred called when a user login. But
pam_gss_klog
> >> seems cannot call gssklog_pag_klog function.
> >>  I got below debug information before gssklog_pag_klog be called:
> >> Jun 14 14:26:27 tset dtlogin[7216]: [ID 868606 user.debug] pam_gssklog:
> >> env=KRB5CCNAME=FILE:/tmp/krb5cc_2079_X7aago
> >> Jun 14 14:26:27 tset dtlogin[7216]: [ID 868606 user.debug] pam_gssklog:
> >> set_pag=1
> >>
> >> I have checked the /tmp/krb5cc_2079_X7aago is correct. But it seems
> >> gssklog_pag_klog is not called even there is a function call from
> >> pam_gssklog as below:
> >>  gssklog_pag_klog(set_pag, env);
> >> I have put some debug inside the hssklog_pag_klog.c, but no any
> >> information
> >> was print.
> >> Thanks for your suggestions.
> >> Rong
> >>
> >> -----Original Message-----
> >> From: openafs-devel-admin@openafs.org
> >> [mailto:openafs-devel-admin@openafs.org]On Behalf Of Rong,Yongjun(CS)
> >> Sent: Thursday, June 10, 2004 5:02 PM
> >> To: Rong,Yongjun(CS); openafs-devel@openafs.org
> >> Subject: RE: [OpenAFS-devel] pam_gssklog on solaris9
> >>
> >> I have got pam_sm_setcred called by PAM framework after I changed my
> >> pam.conf as below:
> >> dtlogin   auth requisite          pam_authtok_get.so.1 debug
> >> #dtlogin   auth required           pam_dhkeys.so.1 debug
> >> #dtlogin   auth   sufficient    pam_unix_auth.so.1 debug use_first_pass
> >> dtlogin   auth    required      pam_krb5.so debug forwardable
> >> realmm=TTU.EDU
> >> use_first_pass
> >> dtlogin   auth required       pam_gssklog.so.1 debug
> >>
> >> -----Original Message-----
> >> From: openafs-devel-admin@openafs.org
> >> [mailto:openafs-devel-admin@openafs.org]On Behalf Of Rong,Yongjun(CS)
> >> Sent: Thursday, June 10, 2004 3:51 PM
> >> To: openafs-devel@openafs.org
> >> Subject: [OpenAFS-devel] pam_gssklog on solaris9
> >>
> >> Hi, All,
> >>   I have another problem for the pam_gssklog. It seems the
> >> pam_sm_setcred
> >> cannot be called during the process of login. My pam.conf for dtlogin
is
> >> as
> >> below:
> >>
> >> dtlogin   auth requisite          pam_authtok_get.so.1 debug
> >> dtlogin   auth required           pam_dhkeys.so.1 debug
> >> dtlogin   auth   sufficient    pam_unix_auth.so.1 debug use_first_pass
> >> dtlogin   auth    optional      pam_krb5.so debug forwardable
> >> realmm=TTU.EDU
> >> use_first_pass
> >> dtlogin   auth optional       pam_gssklog.so.1 debug
> >>
> >> pam_kr5b.so is work fine. After the user login, I can klist the
tickets.
> >> But
> >> the pam_gssklog is not work well. From the debug information, the
> >> pam_sm_setcred is not be called.
> >> Any suggestions, Thanks in advanced.
> >> Rong
> >>
> >> _______________________________________________
> >> OpenAFS-devel mailing list
> >> OpenAFS-devel@openafs.org
> >> https://lists.openafs.org/mailman/listinfo/openafs-devel
> >>
> >> _______________________________________________
> >> OpenAFS-devel mailing list
> >> OpenAFS-devel@openafs.org
> >> https://lists.openafs.org/mailman/listinfo/openafs-devel
> >>
> >> _______________________________________________
> >> OpenAFS-devel mailing list
> >> OpenAFS-devel@openafs.org
> >> https://lists.openafs.org/mailman/listinfo/openafs-devel
> >>
> >> _______________________________________________
> >> OpenAFS-devel mailing list
> >> OpenAFS-devel@openafs.org
> >> https://lists.openafs.org/mailman/listinfo/openafs-devel
> >
> > --
> >
> >  Douglas E. Engert  <DEEngert@anl.gov>
> >  Argonne National Laboratory
> >  9700 South Cass Avenue
> >  Argonne, Illinois  60439
> >  (630) 252-5444
> >
> >
> > _______________________________________________
> > OpenAFS-devel mailing list
> > OpenAFS-devel@openafs.org
> > https://lists.openafs.org/mailman/listinfo/openafs-devel
> >
>
> _______________________________________________
> OpenAFS-devel mailing list
> OpenAFS-devel@openafs.org
> https://lists.openafs.org/mailman/listinfo/openafs-devel
>
> _______________________________________________
> OpenAFS-devel mailing list
> OpenAFS-devel@openafs.org
> https://lists.openafs.org/mailman/listinfo/openafs-devel

--

 Douglas E. Engert  <DEEngert@anl.gov>
 Argonne National Laboratory
 9700 South Cass Avenue
 Argonne, Illinois  60439
 (630) 252-5444
_______________________________________________
OpenAFS-devel mailing list
OpenAFS-devel@openafs.org
https://lists.openafs.org/mailman/listinfo/openafs-devel