[OpenAFS] timeout problems with ssh, pam_krb5 and afs?

Jeffrey Hutzelman jhutz@cmu.edu
Wed, 17 Dec 2003 23:41:59 -0500


On Wednesday, December 17, 2003 21:57:34 -0600 Andrew Leahy 
<aleahy@knox.edu> wrote:

> I set up an AFS server on a system running Fedora Core 1.  AFS works
> without a problem, but I'm having issues with people trying to login to
> the server (via ssh).  In particular, whenever a user logs in, the login
> sequence hangs for about 20 seconds after they offer a password and the
> following is written to /var/log/messages:
>
> Dec 17 19:48:37 leibniz sshd[18366]: pam_krb5[18366]: got error 76 (Name
> not unique on network) while obtaining tokens for knox.edu
>
> This problem wasn't present before AFS was installed, and from looking at
> the source to pam_krb5 I've narrowed it down to a call to krb_afslog
> which is only made when /afs is present:
>
>   ret = krb_afslog(cell, options->realm);
>   if (ret != 0) {
>         if (stash->v5attempted != 0) {
>              warn("got error %d (%s) while obtaining "
>                           "tokens for %s",
>                            ret, error_message(ret), cell);
>         } else {
>               debug("got error %d (%s) while obtaining "
>                            "tokens for %s",
>                             ret, error_message(ret), cell);
>                 }
>         }
>
> Can anybody tell me what this error means or how to get rid of it?  I
> don't know if it's helpful, but the system is authenticating to a Windows
> 2000 kerberos server and, following various posts on this list, AFS has
> been configured to use the Windows kerberos server as well.  I have
> krb524d -k running on my system, but for the time being users have to run
> aklog manually to have access to AFS space.


The "Name not unique on network" message is what goes with ENOTUNIQ, which 
on Linux is errno 76.  However, in this case the value being returned by 
krb_afslog is neither an errno value nor a com_err error code, and so 
error_message is not doing anything useful to it.


In this context, error 76 is actually the Kerberos 4 error NO_TKT_FIL (No 
ticket file found).  What I suspect is happening here is that your pam_krb5 
is linked against a krb4 version of the kafs library, so you're trying to 
get AFS tokens using a nonexistent krb4 ticket file.


-- Jeffrey T. Hutzelman (N3NHS) <jhutz+@cmu.edu>
   Sr. Research Systems Programmer
   School of Computer Science - Research Computing Facility
   Carnegie Mellon University - Pittsburgh, PA