[OpenAFS] pam_gssklog with gdm

Douglas E. Engert deengert@anl.gov
Wed, 01 Oct 2003 12:56:56 -0500 

Stephen Pearson wrote:
> 
> I'm trying to get OpenAFS to work on Linux with pam_gssklog and using
> a Windows 2003 server KDC.  I seem to be getting pretty close, but I
> can't get gdm to log me in.
> 
> So far I can login via SSH or on the console using my Windows principal
> password, and I see my TGT and afs token as expected.  However gdm login
> always fails and complains that it can't write to
> "~/.gconf-test-locking-file".  Syslog contains the following messages :
> 
> Oct  1 16:45:19 rit-scan gdm(pam_unix)[3921]: check pass; user unknown
> Oct  1 16:45:19 rit-scan gdm(pam_unix)[3921]: authentication failure;
> logname= uid=0 euid=0 tty=:0 ruser=gdm rhost=localhost
> Oct  1 16:45:19 rit-scan gdm-binary[3921]: pam_gssklog:
> pam_sm_authenticate:called
> Oct  1 16:45:19 rit-scan gdm-binary[3921]: pam_krb5: authentication
> succeeds for `stephen'
> Oct  1 16:45:19 rit-scan gdm-binary[3921]: pam_gssklog:
> pam_sm_setcred:called
> Oct  1 16:45:19 rit-scan gdm(pam_unix)[3921]: session opened for user
> stephen by (uid=0)
> Oct  1 16:45:19 rit-scan gdm[3921]: gdm_slave_session_start: Directory
> /afs/hpl.hp.com/home/stephen/.gnome2 does not exist.
> 
> Here's the auth section of my system-auth PAM config (I'm using nss
> LDAP as well).  For some reason, I have to add pam_gssklog before
> pam_krb5 or I don't get my AFS token.


Noit sure why, other then since it is listed as optional, and the 
krb5 is listed as sufficient, PAM might not be calling the optional 
routines if the sufficient works.   




> 
> auth        required      /lib/security/$ISA/pam_env.so
> auth        sufficient    /lib/security/$ISA/pam_unix.so likeauth nullok
> auth        optional      /lib/security/$ISA/pam_gssklog.so.1 debug
> auth        sufficient    /lib/security/$ISA/pam_krb5.so try_first_pass
> auth        sufficient    /lib/security/$ISA/pam_ldap.so use_first_pass
> auth        required      /lib/security/$ISA/pam_deny.so
> 
> I have managed to make this work (including gdm) using pam_krb5afs
> against an MIT kerberos KDC running a krb524 service, but Win 2003
> only supports v5 tickets and gssklog seems to be the way to go.

> 
> It looks like pam_sm_setcred gets called, so maybe gdm doesn't set
> the PAG correctly?

The pam_gssklog will set the PAG. If there is more then one routing
setting the PAG, it would mean there is a problem, as only the last
PAG counts. Any AFS tokens obtained under the first PAG would be lost.

 
 
> 
> I'm using Red Hat 9, openafs-1.2.10, gssklog-0.10.
> 
> Anybody managed this before?
> 
> Thanks.
> Steve.
> 
> --
> [(hp)]   : Stephen Pearson <stephen@hp.com>
> invent   : RIT Platforms, HP Labs Bristol, UK
> 
> _______________________________________________
> OpenAFS-info mailing list
> OpenAFS-info@openafs.org
> https://lists.openafs.org/mailman/listinfo/openafs-info

-- 

 Douglas E. Engert  <DEEngert@anl.gov>
 Argonne National Laboratory
 9700 South Cass Avenue
 Argonne, Illinois  60439 
 (630) 252-5444