[OpenAFS] kcheckpass annoyances

Christian Ospelkaus christian@core-coutainville.org
Mon, 10 Nov 2003 18:44:18 +0100 

Hello,

maybe people on this list have seen this issue before. I am running 1.2.10 on 
debian/testing. My kdc is heimdal, and I use the libpam-krb5 pam module in 
combination with libpam-openafs-session. Everything works fine; I can login 
with ssh, kdm, @ the console etc. However, I cannot get unlocking of the 
screensaver with my kerberos password working. Here is what happens:

The kde kdesktop_lock program seems to call a program called kcheckpass to 
check the password. kcheckpass has its own associated pam configuration 
file, /etc/pam.d/kcheckpass:

auth    sufficient      pam_krb5.so
auth    required        pam_unix.so     shadow  nullok try_first_pass

However, I cannot unlock the screen using this configuration. This does not 
change if I add account and session entries. Strangely enough, running strace 
on the kcheckpass shows that /etc/pam.d/other is also accessed...

Also, I notice that the pam module talks to my kdc, but gets interrupted 
somewhere in between. Below is a part of my kdc's log:

Logging into some machine via ssh:

2003-11-10T18:21:12 AS-REQ christia@PHYSNET.UNI-HAMBURG.DE from 
IPv4:134.100.XXX.XXX for krbtgt/PHYSNET.UNI-HAMBURG.DE@PHYSNET.UNI-HAMBURG.DE
2003-11-10T18:21:12 Using des3-cbc-sha1/des3-cbc-sha1
2003-11-10T18:21:12 Requested flags: renewable_ok, proxiable, forwardable
2003-11-10T18:21:12 sending 607 bytes to IPv4:134.100.XXX.XXX
2003-11-10T18:21:12 TGS-REQ christia@PHYSNET.UNI-HAMBURG.DE from 
IPv4:134.100.XXX.XXX for afs/physnet.uni-hamburg.de@PHYSNET.UNI-HAMBURG.DE 
[proxiable, forwardable]
2003-11-10T18:21:12 sending 587 bytes to IPv4:134.100.XXX.XXX
2003-11-10T18:21:12 524-REQ christia@PHYSNET.UNI-HAMBURG.DE from 
IPv4:134.100.XXX.XXX for afs/physnet.uni-hamburg.de@PHYSNET.UNI-HAMBURG.DE
2003-11-10T18:21:12 sending 1266 bytes to IPv4:134.100.XXX.XXX

Running kcheckpasswd
2003-11-10T18:21:51 AS-REQ christia@PHYSNET.UNI-HAMBURG.DE from 
IPv4:134.100.XXX.XXX for krbtgt/PHYSNET.UNI-HAMBURG.DE@PHYSNET.UNI-HAMBURG.DE
2003-11-10T18:21:51 Using des3-cbc-sha1/des3-cbc-sha1
2003-11-10T18:21:51 Requested flags: renewable_ok, proxiable, forwardable
2003-11-10T18:21:51 sending 607 bytes to IPv4:134.100.XXX.XXX

I currently do not see anything else to check. Does anybody know what to do? 
Thanks and best regards,

Christian Ospelkaus