[OpenAFS] Problems with OpenAFS kerberos

Pat Gunn pgunn@cs.cmu.edu
Thu, 11 Mar 2004 10:51:59 -0500 (EST) 

Hello,
I'm in an AFS/Linux environment, and am using the Kerberos that's
part of OpenAFS to handle authentication.
So far, it's worked well for most users.. To set it up,
I replaced
/etc/pam.d/system-auth
with this:

auth        required      /lib/security/pam_env.so
auth        sufficient    /lib/security/pam_unix.so likeauth nullok debug
auth        sufficient    /lib/security/pam_krb5.so use_first_pass debug addressless
auth        required      /lib/security/pam_deny.so
account     required      /lib/security/pam_unix.so debug
account     [default=bad success=ok user_unknown=ignore service_err=ignore system_err=ignore] /lib/security/pam_krb5.so
password    required      /lib/security/pam_cracklib.so retry=3 type=
password    sufficient    /lib/security/pam_unix.so nullok use_authtok md5 shadow debug
password    sufficient    /lib/security/pam_krb5.so use_authtok debug addressless
password    required      /lib/security/pam_deny.so
session     required      /lib/security/pam_limits.so
session     required      /lib/security/pam_unix.so debug
session     optional      /lib/security/pam_krb5.so debug addressless

I set the cell in /usr/vice/etc, and made the local modifications to /etc/krb5.conf,

I made accounts in /etc/passwd for all the users, leaving /etc/shadow alone.
The two relevant accounts are:
pgunn:x:10280:500:Pat Gunn,NSH 3125,,:/home/pgunn:/bin/bash
censored:x:7675:10735:Censored:/afs/cs/user/censored:/bin/bash

Unfortunately, I can SSH in, he cannot, and we're certain it's not a
password problem. He can get in via ssh-keys, but not his AFS/Krb password,
although once he does get in, he can klog.
Here's the logs from /var/log/secure of me logging in:

Mar 11 10:14:35 logo sshd[6025]: Accepted password for pgunn from 128.2.222.44 port 53336 ssh2
Mar 11 10:14:35 logo sshd[6027]: pam_krb5[6027]: default/local realm 'CS.CMU.EDU'
Mar 11 10:14:35 logo sshd[6027]: pam_krb5[6027]: configured realm 'CS.CMU.EDU'
Mar 11 10:14:35 logo sshd[6027]: pam_krb5[6027]: flags: addressless forwardable
Mar 11 10:14:35 logo sshd[6027]: pam_krb5[6027]: flag: user_check
Mar 11 10:14:35 logo sshd[6027]: pam_krb5[6027]: flag: krb4_convert
Mar 11 10:14:35 logo sshd[6027]: pam_krb5[6027]: flag: warn
Mar 11 10:14:35 logo sshd[6027]: pam_krb5[6027]: ticket lifetime: 36000
Mar 11 10:14:35 logo sshd[6027]: pam_krb5[6027]: renewable lifetime: 36000
Mar 11 10:14:35 logo sshd[6027]: pam_krb5[6027]: banner: Kerberos 5
Mar 11 10:14:35 logo sshd[6027]: pam_krb5[6027]: ccache dir: /tmp
Mar 11 10:14:35 logo sshd[6027]: pam_krb5[6027]: keytab: /etc/krb5.keytab
Mar 11 10:14:35 logo sshd[6027]: pam_krb5[6027]: called to update credentials for 'pgunn'
Mar 11 10:14:35 logo sshd[6027]: pam_krb5[6027]: _pam_krb5_sly_refresh returning 0 (Success)

And the logs of him failing to:
Mar 11 10:09:44 logo sshd[5911]: Accepted password for censored from 128.2.222.44 port 53258 s
sh2
Mar 11 10:09:44 logo sshd[5913]: pam_krb5[5913]: default/local realm 'CS.CMU.EDU'
Mar 11 10:09:44 logo sshd[5913]: pam_krb5[5913]: configured realm 'CS.CMU.EDU'
Mar 11 10:09:44 logo sshd[5913]: pam_krb5[5913]: flags: addressless forwardable
Mar 11 10:09:44 logo sshd[5913]: pam_krb5[5913]: flag: user_check
Mar 11 10:09:44 logo sshd[5913]: pam_krb5[5913]: flag: krb4_convert
Mar 11 10:09:44 logo sshd[5913]: pam_krb5[5913]: flag: warn
Mar 11 10:09:44 logo sshd[5913]: pam_krb5[5913]: ticket lifetime: 36000
Mar 11 10:09:44 logo sshd[5913]: pam_krb5[5913]: renewable lifetime: 36000
Mar 11 10:09:44 logo sshd[5913]: pam_krb5[5913]: banner: Kerberos 5
Mar 11 10:09:44 logo sshd[5913]: pam_krb5[5913]: ccache dir: /tmp
Mar 11 10:09:44 logo sshd[5913]: pam_krb5[5913]: keytab: /etc/krb5.keytab
Mar 11 10:09:44 logo sshd[5913]: pam_krb5[5913]: called to update credentials for 'censored'
Mar 11 10:09:44 logo sshd[5913]: pam_krb5[5913]: _pam_krb5_sly_refresh returning 0 (Success)
Mar 11 10:09:44 logo sshd[5913]: fatal: PAM setcred failed[3]: Error in service module

For those interested, this is using OpenAFS 1.2.10 (from the official RPMs) on Redhat
Fedora 1.0

He is able to log in on our Redhat 9 systems (running OpenAFS 1.2.9).

Any help I might get in debugging this, or areas to poke at further, would be
greatly appreciated. Thanks.

-- 
Pat Gunn
Research/Systems Programmer, Auton Group, CMU