[OpenAFS] pam_krb5afs anyone?

Martin Schulz schulz@iwrmm.math.uni-karlsruhe.de
16 Aug 2001 20:24:30 +0200


Hello, 

I am wrestling again with the pam_krb5afs.so module. Though I have
it run correctly, on several machines, I have problems on others. I
now have worked for hours to find the decisive difference between
these, but without success. 


Nalin Dahyabhai <nalin@redhat.com> writes:

> Do you have krb.conf and krb.realms files in /etc?  Attempts to get
> a v4 TGT use the functions in libkrb4, which AFAIK don't read their
> configuration from krb5.conf.  (Equivalently, does "kinit -4" work?)


On a machine, where it works, I get into syslog:
------------------------------------------------------------------------
Aug 16 13:44:16 iwr01 login[831]: pam_krb5afs: authentication succeeds for schulz
Aug 16 13:44:16 iwr01 login[831]: pam_krb5afs: Got 148 extra bytes in v4 TGT
------------------------------------------------------------------------


On a machine, where I have problems, I get:

------------------------------------------------------------------------
Aug 16 19:15:30 iwr15 login[18683]: pam_krb5afs: authentication succeeds for schulz
Aug 16 19:15:30 iwr15 login[18683]: pam_krb5afs: TGT for schulz not verified (no required_tgs defined)
Aug 16 19:15:30 iwr15 login[18683]: pam_krb5afs: Got bad v4 TGT for "krbtgt.IWRMM.UNI-KARLSRUHE.DE@IWRMM.UNI-KARLSRUHE.DE"
Aug 16 19:15:30 iwr15 login[18683]: pam_krb5afs: Got 148 extra bytes in v4 TGT
Aug 16 19:15:30 iwr15 login[18683]: pam_krb5afs: v4 ticket conversion failed for schulz: Unknown code k524 0 (shouldn't happen)
Aug 16 19:15:30 iwr15 login[18683]: pam_krb5afs: removing /tmp/krb5cc_500_NDtWDS
Aug 16 19:15:30 iwr15 login[18683]: pam_krb5afs: v4 ticket conversion failed for schulz: Unknown code k524 0 (shouldn't happen)
------------------------------------------------------------------------

The corresponding lines in the krb5kdc.log file do no look suspiciously:

------------------------------------------------------------------------
Aug 16 19:15:17 iwr01 krb5kdc[23893](info): AS_REQ 172.22.5.215(88): ISSUE: authtime 997982117, schulz@IWRMM.UNI-KARLSRUHE.DE for krbtgt/IWRMM.UNI-KARLSRUHE.DE@IWRMM.UNI-KARLSRUHE.DE
Aug 16 19:15:17 iwr01 krb5kdc[23893](info): PROCESS_V4:Initial ticket request Host: 172.22.5.215 User: "schulz" ""
------------------------------------------------------------------------

'klist' shows indeed, that there is only a krb5 ticket and no krb4
ticket. Nevertheless an explicit call to 'kinit -4' succeeds, as well
as Ken Hornsteins 'aklog' program.

I suppose there must some kind of key distribution problem here. What
does the "Got bad v5 TGT" actually indicates? Is there a way to make
pam_krb5afs more verbose? 

Yours,
-- 
Martin Schulz                             schulz@iwrmm.math.uni-karlsruhe.de
Uni Karlsruhe, Institut f. wissenschaftliches Rechnen u. math. Modellbildung
Engesser Str. 6, 76128 Karlsruhe