[OpenAFS] pam_krb5afs anyone?

Nalin Dahyabhai nalin@redhat.com
Wed, 22 Aug 2001 17:52:33 -0400 

On Thu, Aug 16, 2001 at 08:24:30PM +0200, Martin Schulz wrote:
> On a machine, where it works, I get into syslog:
> ------------------------------------------------------------------------
> Aug 16 13:44:16 iwr01 login[831]: pam_krb5afs: authentication succeeds for schulz
> Aug 16 13:44:16 iwr01 login[831]: pam_krb5afs: Got 148 extra bytes in v4 TGT
> ------------------------------------------------------------------------
> 
> On a machine, where I have problems, I get:
> 
> ------------------------------------------------------------------------
> Aug 16 19:15:30 iwr15 login[18683]: pam_krb5afs: authentication succeeds for schulz
> Aug 16 19:15:30 iwr15 login[18683]: pam_krb5afs: TGT for schulz not verified (no required_tgs defined)
> Aug 16 19:15:30 iwr15 login[18683]: pam_krb5afs: Got bad v4 TGT for "krbtgt.IWRMM.UNI-KARLSRUHE.DE@IWRMM.UNI-KARLSRUHE.DE"
> Aug 16 19:15:30 iwr15 login[18683]: pam_krb5afs: Got 148 extra bytes in v4 TGT
> Aug 16 19:15:30 iwr15 login[18683]: pam_krb5afs: v4 ticket conversion failed for schulz: Unknown code k524 0 (shouldn't happen)
> Aug 16 19:15:30 iwr15 login[18683]: pam_krb5afs: removing /tmp/krb5cc_500_NDtWDS
> Aug 16 19:15:30 iwr15 login[18683]: pam_krb5afs: v4 ticket conversion failed for schulz: Unknown code k524 0 (shouldn't happen)
> ------------------------------------------------------------------------
> 
> The corresponding lines in the krb5kdc.log file do no look suspiciously:
> 
> ------------------------------------------------------------------------
> Aug 16 19:15:17 iwr01 krb5kdc[23893](info): AS_REQ 172.22.5.215(88): ISSUE: authtime 997982117, schulz@IWRMM.UNI-KARLSRUHE.DE for krbtgt/IWRMM.UNI-KARLSRUHE.DE@IWRMM.UNI-KARLSRUHE.DE
> Aug 16 19:15:17 iwr01 krb5kdc[23893](info): PROCESS_V4:Initial ticket request Host: 172.22.5.215 User: "schulz" ""
> ------------------------------------------------------------------------
> 
> 'klist' shows indeed, that there is only a krb5 ticket and no krb4
> ticket. Nevertheless an explicit call to 'kinit -4' succeeds, as well
> as Ken Hornsteins 'aklog' program.
> 
> I suppose there must some kind of key distribution problem here. What
> does the "Got bad v5 TGT" actually indicates? Is there a way to make
> pam_krb5afs more verbose? 

Try adding the "debug" argument to the proper PAM configuration file,
and configure syslog to log debugging messages somewhere.

My current guess is that you have different versions of the module installed
on the two workstations.  Some of the behavior wrt obtaining Kerberos IV
credentials has changed once or twice since the original version.

Nalin