[OpenAFS] aklog does not work during login
Derek Atkins
OpenAFS-info@openafs.org
11 May 2002 11:21:22 -0400
The one thing you never show is what you get from "tokens". I don't
know enough about the krb-afs part of pam_krb5, so I don't know
whether it's trying to use v4 tickets or use a krb524 conversion...
Check your KDC logs. It looks like your v4 ticket is bad. I don't
know why.
-derek
markus hetzenecker <markus.hetzenecker@uibk.ac.at> writes:
> hello.
>
> well, i read the guides and mailinglist, but i could not find a solution, so here i am:
> system: RedHat 7.3 i386 Linux, Openafs 1.2.3, pam_krb5-1.55-1.
>
> the problem: during login I get no afs token.
> the pam modules are configured (with authconf). everthing is running on the same machine.
> but what works is follows:
> after login (or with kinit) as user0:
>
> bash-2.05a$ klist
> Ticket cache: FILE:/tmp/krb5cc_501_Sz8iV6
> Default principal: user0@UIBK.AC.AT
>
> Valid starting Expires Service principal
> 05/11/02 15:09:11 05/12/02 01:09:11 krbtgt/UIBK.AC.AT@UIBK.AC.AT
> renew until 05/11/02 15:09:11
>
> Kerberos 4 ticket cache: /tmp/tkt501_JcyOJr
> klist: can't find realm of ticket file: Bad ticket file format (tf_util)
> bash-2.05a$ aklog
> bash-2.05a$ klist
> Ticket cache: FILE:/tmp/krb5cc_501_iTdGY1
> Default principal: user0@UIBK.AC.AT
>
> Valid starting Expires Service principal
> 05/11/02 15:57:18 05/12/02 01:57:18 krbtgt/UIBK.AC.AT@UIBK.AC.AT
> 05/11/02 15:57:27 05/12/02 01:57:18 afs/uibk.ac.at@UIBK.AC.AT
>
> Kerberos 4 ticket cache: /tmp/tkt501_abzSIP
> klist: can't find realm of ticket file: Bad ticket file format (tf_util)
> bash-2.05a$
> ------------------------------------------
> with this procedure i am able to access the /afs files
> but kinit -4 yields (with the same password):
> bash-2.05a$ kinit -4
> Password for user0@UIBK.AC.AT:
> kinit(v4): Password incorrect
> bash-2.05a$
>
> so I can not get a v4 ticket. (should I?)
>
> Next there is collection of some config lines:
> [root@lmc-c102 root]# asetkey list
> kvno 4: key is: 46d0f12ff46dc838
> All done.
>
> kadmin.local: getprinc afs/uibk.ac.at
> Principal: afs/uibk.ac.at@UIBK.AC.AT
> ...
> Last successful authentication: [never]
> Last failed authentication: [never]
> Failed password attempts: 0
> Number of keys: 1
> Key: vno 4, DES cbc mode with CRC-32, no salt
> ...
>
> kadmin.local: getprinc user0
> Principal: user0@UIBK.AC.AT
> ...
> Last successful authentication: [never]
> Last failed authentication: [never]
> Failed password attempts: 0
> Number of keys: 2
> Key: vno 1, Triple DES cbc mode with HMAC/sha1, no salt
> Key: vno 1, DES cbc mode with CRC-32, no salt
> ...
>
> /var/kerberos/krb5kdc/kdc.conf:
> [kdcdefaults]
> ...
> v4_mode = nopreauth
>
> [realms]
> UIBK.AC.AT = {
> master_key_type = des-cbc-crc
> supported_enctypes = des3-cbc-raw:normal des3-cbc-raw:norealm des3-cbc-raw:onlyrealm des3-cbc-sha1:normal des3-cbc-sha1:norealm des3-cbc-sha1:onlyrealm des-cbc-crc:v4 des-cbc-crc:afs3 des-cbc-crc:normal des-cbc-crc:norealm des-cbc-crc:onlyrealm des-cbc-md4:v4 des-cbc-md4:afs3 des-cbc-md4:normal des-cbc-md4:norealm des-cbc-md4:onlyrealm des-cbc-md5:v4 des-cbc-md5:afs3 des-cbc-md5:normal des-cbc-md5:norealm des-cbc-md5:onlyrealm des-cbc-raw:v4 des-cbc-raw:afs3 des-cbc-raw:normal des-cbc-raw:norealm des-cbc-raw:onlyrealm des-cbc-sha1:v4 des-cbc-sha1:afs3 des-cbc-sha1:normal des-cbc-sha1:norealm des-cbc-sha1:onlyrealm
> }
> ---------------------------------------------
> maybe the debug output is more interesting
> pam_krb5afs:debug:
> ...
> May 11 14:45:28 lmc-c102 login[2008]: pam_krb5afs: `user0' has uid 501, gid 501
> May 11 14:45:28 lmc-c102 login[2008]: pam_krb5afs: attempting to authenticate `user0'
> May 11 14:45:28 lmc-c102 login[2008]: pam_krb5afs: get_int_tkt returned Success
> May 11 14:45:28 lmc-c102 login[2008]: pam_krb5afs: authentication succeeds for `user0'
> May 11 14:45:28 lmc-c102 login[2008]: pam_krb5afs: credentials saved for `user0'
> May 11 14:45:28 lmc-c102 login[2008]: pam_krb5afs: ciphertext length in TGT = 104
> May 11 14:45:28 lmc-c102 login[2008]: pam_krb5afs: Got v4 TGT for `jÍ\221¤9#'+\2232ð&^AfÝÉ^N\213^Ge£¿\234G\215i^Z^K¦^Pè^NH«\217\223IH¥.c"úN`yý^^äº_@'
> May 11 14:45:28 lmc-c102 login[2008]: pam_krb5afs: Got 297 extra bytes in v4 TGT
> May 11 14:45:28 lmc-c102 login[2008]: pam_krb5afs: Extra data = ò^P@0
> May 11 14:45:28 lmc-c102 login[2008]: pam_krb5afs: Extra data =
> May 11 14:45:28 lmc-c102 login[2008]: pam_krb5afs: get_config() called
> May 11 14:45:28 lmc-c102 login[2008]: pam_krb5afs: Creating a ticket with addresses
> May 11 14:45:28 lmc-c102 login[2008]: pam_krb5afs: krb4_convert true
> May 11 14:45:28 lmc-c102 login[2008]: pam_krb5afs: will afslog to cells `uibk.ac.at'
> May 11 14:45:28 lmc-c102 login[2008]: pam_krb5afs: will afslog to cell `uibk.ac.at'
> ...
> May 11 14:45:28 lmc-c102 login[2008]: pam_krb5afs: KRB5CCNAME=FILE:/tmp/krb5cc_501_pPynYH
> May 11 14:45:28 lmc-c102 login[2008]: pam_krb5afs: opening ticket file `/tmp/tkt501_L6Aq91'
> May 11 14:45:28 lmc-c102 login[2008]: pam_krb5afs: save v4 creds (jÍ\221¤9#'+\2232ð&^AfÝÉ^N\213^Ge£¿\234G\215i^Z^K¦^Pè^NH«\217\223IH¥.c"úN`yý^^äº_@:36), 142
> May 11 14:45:28 lmc-c102 login[2008]: pam_krb5afs: KRBTKFILE=/tmp/tkt501_L6Aq91
> May 11 14:45:28 lmc-c102 login[2008]: pam_krb5afs: k_setpag()
> May 11 14:45:28 lmc-c102 login[2008]: pam_krb5afs: k_setpag() returned 0
> May 11 14:45:28 lmc-c102 login[2008]: pam_krb5afs: afslog() to cell `uibk.ac.at'
> May 11 14:45:28 lmc-c102 login[2008]: pam_krb5afs: afslog() returned 79
> May 11 14:45:28 lmc-c102 login[2008]: pam_krb5afs: setting ownership on `/tmp/krb5cc_501_pPynYH' to 501/501
> ...
>
> sorry of the long listing, but i do not know what is wrong.
> I wondering why kinit/aklog works, but not the pam module. (i tried also pam_krb5afs-1.46)
> thanks for any help.
> _______________________________________________
> OpenAFS-info mailing list
> OpenAFS-info@openafs.org
> https://lists.openafs.org/mailman/listinfo/openafs-info
--
Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory
Member, MIT Student Information Processing Board (SIPB)
URL: http://web.mit.edu/warlord/ PP-ASEL-IA N1NWH
warlord@MIT.EDU PGP key available