[OpenAFS] pam_krb5afs anyone?

Nalin Dahyabhai nalin@redhat.com
Thu, 31 May 2001 11:20:27 -0400


On Wed, May 30, 2001 at 10:11:28PM +0200, Martin Schulz wrote:
> When logging in, the pam_krb5afs module get the kerberos 5 tickets,
> but does not get a kerberos IV ticket nor any afs token. These are the
> messages in the log file:
> 
> ---------------------------------------------------------------
> May 30 20:18:44 iwr07 login[21930]: pam_krb5afs: authentication succeeds for schulz
> May 30 20:18:44 iwr07 login[21930]: pam_krb5afs: couldn't get v4 TGT for 
>       schulz@IWRMM.UNI-KARLSRUHE.DE (Can't send request (send_to_kdc)), continuing
> May 30 20:18:44 iwr07 login[21930]: pam_krb5afs: 
>         v4 ticket conversion failed for schulz: -1750206208 (Unknown code k524 0)
> May 30 20:18:44 iwr07 login[21930]: pam_krb5afs: 
>         v4 ticket conversion failed for schulz: -1750206208 (Unknown code k524 0)
> ----------------------------------------------------------------
> 
> This "send_to_kdc" made me think the reason could be the pam module
> contacting the afs server instead of the kerberos kdc. Therefore, I
> installed fakeka and ka-forwarder today, though I have not seen the
> necessity to do so before. However, that did not help (see above),
> though I now can also use klog to authenticate.

Do you have krb.conf and krb.realms files in /etc?  Attempts to get
a v4 TGT use the functions in libkrb4, which AFAIK don't read their
configuration from krb5.conf.  (Equivalently, does "kinit -4" work?)

Nalin