[OpenAFS] pam_krb5afs anyone?

Martin Schulz schulz@iwrmm.math.uni-karlsruhe.de
30 May 2001 22:11:28 +0200


Hello again,

I still have a problem getting the pam integration working. AFS is
running fine, krb5 is running fine, krb524d and aklog are running
fine. However, I want to optain the tokens automatically when logging
in.

I am running OpenAfs 1.0.4 client on Linux 2.2.16 smp against
OpenAfs 1.0.3 server on Solaris, the krb5 kdc is running on a third machine. 

When logging in, the pam_krb5afs module get the kerberos 5 tickets,
but does not get a kerberos IV ticket nor any afs token. These are the
messages in the log file:

---------------------------------------------------------------
May 30 20:18:44 iwr07 login[21930]: pam_krb5afs: authentication succeeds for schulz
May 30 20:18:44 iwr07 login[21930]: pam_krb5afs: couldn't get v4 TGT for 
      schulz@IWRMM.UNI-KARLSRUHE.DE (Can't send request (send_to_kdc)), continuing
May 30 20:18:44 iwr07 login[21930]: pam_krb5afs: 
        v4 ticket conversion failed for schulz: -1750206208 (Unknown code k524 0)
May 30 20:18:44 iwr07 login[21930]: pam_krb5afs: 
        v4 ticket conversion failed for schulz: -1750206208 (Unknown code k524 0)
----------------------------------------------------------------

This "send_to_kdc" made me think the reason could be the pam module
contacting the afs server instead of the kerberos kdc. Therefore, I
installed fakeka and ka-forwarder today, though I have not seen the
necessity to do so before. However, that did not help (see above),
though I now can also use klog to authenticate.

I have in the corresponding pam file the following entries (among others):
-------------------------------------------------------------------------------
auth        sufficient    /lib/security/pam_krb5afs.so use_first_pass tokens
password    sufficient    /lib/security/pam_krb5afs.so use_authtok debug
session     optional      /lib/security/pam_krb5afs.so debug
-------------------------------------------------------------------------------

in my krb5.conf, I have (among others):
-------------------------------------------------------------------------------
[pam]
 debug = true
 ticket_lifetime = 36000
 renew_lifetime = 36000
 forwardable = true
 krb4_convert = true
 afs_cells = iwrmm.uni-karlsruhe.de
-------------------------------------------------------------------------------


Does anybody has a similar setup working properly? 

Any suggestions? The module is not very verbose nor very well documented, you know..

Is there even a better pam module available? 

Yours,
-- 
Martin Schulz                             schulz@iwrmm.math.uni-karlsruhe.de
Uni Karlsruhe, Institut f. wissenschaftliches Rechnen u. math. Modellbildung
Engesser Str. 6, 76128 Karlsruhe