[OpenAFS] timeout problems with ssh, pam_krb5 and afs?
Jeffrey Hutzelman
jhutz@cmu.edu
Wed, 17 Dec 2003 23:41:59 -0500
On Wednesday, December 17, 2003 21:57:34 -0600 Andrew Leahy
<aleahy@knox.edu> wrote:
> I set up an AFS server on a system running Fedora Core 1. AFS works
> without a problem, but I'm having issues with people trying to login to
> the server (via ssh). In particular, whenever a user logs in, the login
> sequence hangs for about 20 seconds after they offer a password and the
> following is written to /var/log/messages:
>
> Dec 17 19:48:37 leibniz sshd[18366]: pam_krb5[18366]: got error 76 (Name
> not unique on network) while obtaining tokens for knox.edu
>
> This problem wasn't present before AFS was installed, and from looking at
> the source to pam_krb5 I've narrowed it down to a call to krb_afslog
> which is only made when /afs is present:
>
> ret = krb_afslog(cell, options->realm);
> if (ret != 0) {
> if (stash->v5attempted != 0) {
> warn("got error %d (%s) while obtaining "
> "tokens for %s",
> ret, error_message(ret), cell);
> } else {
> debug("got error %d (%s) while obtaining "
> "tokens for %s",
> ret, error_message(ret), cell);
> }
> }
>
> Can anybody tell me what this error means or how to get rid of it? I
> don't know if it's helpful, but the system is authenticating to a Windows
> 2000 kerberos server and, following various posts on this list, AFS has
> been configured to use the Windows kerberos server as well. I have
> krb524d -k running on my system, but for the time being users have to run
> aklog manually to have access to AFS space.
The "Name not unique on network" message is what goes with ENOTUNIQ, which
on Linux is errno 76. However, in this case the value being returned by
krb_afslog is neither an errno value nor a com_err error code, and so
error_message is not doing anything useful to it.
In this context, error 76 is actually the Kerberos 4 error NO_TKT_FIL (No
ticket file found). What I suspect is happening here is that your pam_krb5
is linked against a krb4 version of the kafs library, so you're trying to
get AFS tokens using a nonexistent krb4 ticket file.
-- Jeffrey T. Hutzelman (N3NHS) <jhutz+@cmu.edu>
Sr. Research Systems Programmer
School of Computer Science - Research Computing Facility
Carnegie Mellon University - Pittsburgh, PA