[OpenAFS] OpenAFS and krb5afs

Michael Lasevich openafslist@lasevich.net
Wed, 3 Apr 2002 13:34:05 -0800 

This is a multi-part message in MIME format.

------=_NextPart_000_000C_01C1DB14.39A97400
Content-Type: text/plain;
	charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

For the moment I backed off trying to get AD to work transparently with =
AFS and decided to try to get just AFS and MIT's KRB5 to cooperate.=20

I've set up a krb5 KDC server and OpenAFS client on one machine =
(kdcserver1 RH7.2)
I've set up a OpenAFS server/client on another machine (afsserver1 =
RH7.2)
I've installed openafs-krb5 package on both.

The problem I am running into is that I cannot get krb5afs PAM module to =
work properly.
I can log in (get a V5 ticket) but I must run aklog to get the a token. =
My understanding is that krb5afs should take care of this. On afsserver1 =
 I get "pam_krb5afs: v4 ticket conversion failed for `max': -1750206208 =
(Unknown code k524 0)" in /var/log/messages (max is the username) on =
kdcserver1 things are a bit different - I get the following in =
/var/log/messages:
-----
Apr  3 13:27:23 kdcserver1 sshd(pam_unix)[8981]: authentication failure; =
logname=3D uid=3D0 euid=3D0 tty=3DNODEVssh ruser=3D rhost=3Dkdcserver1  =
user=3Dmax
Apr  3 13:27:23 kdcserver1 sshd[8981]: pam_krb5afs: authentication =
succeeds for `max'
Apr  3 13:27:23 kdcserver1 sshd[8981]: pam_krb5afs: service name in v4 =
TGT too long: rO|4A=A16^M
Apr  3 13:27:23 kdcserver1 sshd[8981]: pam_krb5afs: Got 179 extra bytes =
in v4 TGT
Apr  3 13:27:23 kdcserver1 sshd(pam_unix)[8981]: session opened for user =
max by (uid=3D0)
--------

and klist returns a valid V5 ticket and the following for V4:
--------------
Kerberos 4 ticket cache: /tmp/tkt2020_pjaoCE
klist: can't find realm of ticket file: Bad ticket file format (tf_util)
-------------

On both servers if I run aklog - everything works. Any ideas?

Thank you,

-Michael



------=_NextPart_000_000C_01C1DB14.39A97400
Content-Type: text/html;
	charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=3DContent-Type content=3D"text/html; =
charset=3Diso-8859-1">
<META content=3D"MSHTML 6.00.2712.300" name=3DGENERATOR>
<STYLE></STYLE>
</HEAD>
<BODY bgColor=3D#ffffff>
<DIV><FONT face=3DArial size=3D2>For the moment I backed off trying to =
get AD to=20
work transparently with AFS and decided to try to get just AFS and MIT's =
KRB5 to=20
cooperate. </FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT>&nbsp;</DIV>
<DIV><FONT face=3DArial size=3D2>I've set up a krb5 KDC server and =
OpenAFS client on=20
one machine (kdcserver1 RH7.2)</FONT></DIV>
<DIV><FONT face=3DArial size=3D2>I've set up&nbsp;a OpenAFS =
server/client on another=20
machine (afsserver1&nbsp;RH7.2)</FONT></DIV>
<DIV><FONT face=3DArial size=3D2>I've installed openafs-krb5 package on=20
both.</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT>&nbsp;</DIV>
<DIV><FONT face=3DArial size=3D2>The problem I am running into is that I =
cannot get=20
krb5afs PAM module to work properly.</FONT></DIV>
<DIV><FONT face=3DArial size=3D2>I can log in (get a V5 ticket) but I =
must run aklog=20
to get the a token. My understanding is that krb5afs should take care of =
this.=20
On afsserver1 &nbsp;I get "pam_krb5afs: v4 ticket conversion failed for =
`max':=20
-1750206208 (Unknown code k524 0)" in /var/log/messages (max is the =
username) on=20
kdcserver1 things are a bit different - I get the following in=20
/var/log/messages:</FONT></DIV>
<DIV><FONT face=3DArial size=3D2>-----</FONT></DIV>
<DIV><FONT face=3DArial size=3D2>Apr&nbsp; 3 13:27:23&nbsp;kdcserver1=20
sshd(pam_unix)[8981]: authentication failure; logname=3D uid=3D0 =
euid=3D0 tty=3DNODEVssh=20
ruser=3D rhost=3Dkdcserver1&nbsp; user=3Dmax<BR>Apr&nbsp; 3 13:27:23 =
kdcserver1=20
sshd[8981]: pam_krb5afs: authentication succeeds for `max'<BR>Apr&nbsp; =
3=20
13:27:23 kdcserver1 sshd[8981]: pam_krb5afs: service name in v4 TGT too =
long:=20
rO|4A=A16^M<BR>Apr&nbsp; 3 13:27:23 kdcserver1 sshd[8981]: pam_krb5afs: =
Got 179=20
extra bytes in v4 TGT<BR>Apr&nbsp; 3 13:27:23 kdcserver1 =
sshd(pam_unix)[8981]:=20
session opened for user max by (uid=3D0)</FONT></DIV>
<DIV><FONT face=3DArial size=3D2>--------</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT>&nbsp;</DIV>
<DIV><FONT face=3DArial size=3D2>and klist returns a valid V5 ticket and =
the=20
following for V4:</FONT></DIV>
<DIV><FONT face=3DArial size=3D2>--------------</FONT></DIV>
<DIV><FONT face=3DArial size=3D2>Kerberos 4 ticket cache:=20
/tmp/tkt2020_pjaoCE<BR>klist: can't find realm of ticket file: Bad =
ticket file=20
format (tf_util)</FONT></DIV>
<DIV><FONT face=3DArial size=3D2>-------------</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT>&nbsp;</DIV>
<DIV><FONT face=3DArial size=3D2>On both servers if I run aklog - =
everything works.=20
Any ideas?</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT>&nbsp;</DIV>
<DIV><FONT face=3DArial size=3D2>Thank you,</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT>&nbsp;</DIV>
<DIV><FONT face=3DArial size=3D2>-Michael</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT>&nbsp;</DIV>
<DIV><FONT face=3DArial size=3D2></FONT>&nbsp;</DIV></BODY></HTML>

------=_NextPart_000_000C_01C1DB14.39A97400--