[OpenAFS] kcheckpass annoyances

Andreas Haupt ahaupt@ifh.de
Tue, 11 Nov 2003 14:30:40 +0100 (CET) 

On Tue, 11 Nov 2003, Christian Ospelkaus wrote:

> The extracts from my kdc log show that the krb5 pam module is actually called
> and talking to the kdc; however, it is interrupted somewhere in between...
> Best regards,
>
> Christian Ospelkaus
>
> Logging into some machine via ssh:
> 2003-11-10T18:21:12 AS-REQ christia@PHYSNET.UNI-HAMBURG.DE from
> IPv4:134.100.XXX.XXX for krbtgt/PHYSNET.UNI-HAMBURG.DE@PHYSNET.UNI-HAMBURG.DE
> 2003-11-10T18:21:12 Using des3-cbc-sha1/des3-cbc-sha1
> 2003-11-10T18:21:12 Requested flags: renewable_ok, proxiable, forwardable
> 2003-11-10T18:21:12 sending 607 bytes to IPv4:134.100.XXX.XXX

The TGT was sent to you.

> 2003-11-10T18:21:12 TGS-REQ christia@PHYSNET.UNI-HAMBURG.DE from
> IPv4:134.100.XXX.XXX for afs/physnet.uni-hamburg.de@PHYSNET.UNI-HAMBURG.DE
> [proxiable, forwardable]
> 2003-11-10T18:21:12 sending 587 bytes to IPv4:134.100.XXX.XXX

AFS Service Ticket (using your TGT) was sent to you.

> 2003-11-10T18:21:12 524-REQ christia@PHYSNET.UNI-HAMBURG.DE from
> IPv4:134.100.XXX.XXX for afs/physnet.uni-hamburg.de@PHYSNET.UNI-HAMBURG.DE
> 2003-11-10T18:21:12 sending 1266 bytes to IPv4:134.100.XXX.XXX

AFS Service Ticket (converted to Kerberos4) was sent to you.

> Running kcheckpasswd
> 2003-11-10T18:21:51 AS-REQ christia@PHYSNET.UNI-HAMBURG.DE from
> IPv4:134.100.XXX.XXX for krbtgt/PHYSNET.UNI-HAMBURG.DE@PHYSNET.UNI-HAMBURG.DE
> 2003-11-10T18:21:51 Using des3-cbc-sha1/des3-cbc-sha1
> 2003-11-10T18:21:51 Requested flags: renewable_ok, proxiable, forwardable
> 2003-11-10T18:21:51 sending 607 bytes to IPv4:134.100.XXX.XXX

You just get the new TGT. From the server side everything is OK. Can you
post your /etc/pam.d/kcheckpasswd?

If this doesn't work for you, try using pam_krb5 module by Balasz Gal.
http://sourceforge.net/projects/pam-krb5/

We use this among other things for kscreensaver with ticket/token refresh.
You wouldn't need pam_openafs-session anymore as well.

Greetings

-- 
Andreas Haupt         E-Mail: ahaupt@ifh.de
 DESY Zeuthen
 Platanenallee 6
 15738 Zeuthen