[OpenAFS] Krb5 AFS ticket conversion problems continue

Andrew Bacchi bacchi@rpi.edu
21 May 2004 11:55:27 -0400 

I CAN log in and get K5 tickets, but they still are NOT showing up as
afs@xxx.xxx.  I've tried many options with PAM, and krb5.conf.  From
syslog below, why am I not contacting the KDC for Krb524d?  Thanks.

The Krb524d is running.
root     32588     1  0 May20 ?      00:00:00 /usr/local/sbin/kadmind
root     32620     1  0 May20 ?      00:00:00 /usr/local/sbin/krb5kdc
root     32636     1  0 May20 ?      00:00:00 /usr/local/sbin/krb524d -m

netstat shows the server listening on port 750.
udp        0      0 128.113.22.78:750       0.0.0.0:*


MIT K5 1.3.2, OpenAFS 1.2.11, RHAS 2.1.  firewall is down on both server
& client for testing.

klist shows no afs tokens.

Ticket cache: FILE:/tmp/krb5cc_65542_aRA8rN
Default principal: bacchi_a@WEB.RPI.EDU
Valid starting     Expires            Service principal
05/21/04 10:43:54  05/21/04 20:43:54  krbtgt/WEB.RPI.EDU@WEB.RPI.EDU
        renew until 05/21/04 10:43:54
Kerberos 4 ticket cache: /tmp/tkt65542_cxIYDy
Principal: bacchi_a@WEB.RPI.EDU
  Issued              Expires             Principal
05/21/04 10:43:54  05/21/04 20:43:54  krbtgt.WEB.RPI.EDU@WEB.RPI.EDU


/etc/krb5.conf has the krb524 server listed.:
[realms]
 WEB.RPI.EDU = {
  kdc = krb5-1.server.rpi.edu:88
  kdc = krb5-2.server.rpi.edu:88
  krb524_server = krb5-1.server.rpi.edu:750
  admin_server = krb5-1.server.rpi.edu:749
  default_domain = rpi.edu


/var/log/messages error say can't send request:

May 21 10:43:54 ldap3 sshd[15610]: pam_krb5afs: authentication succeeds
for `bacchi_a'
May 21 10:43:54 ldap3 sshd[15610]: pam_krb5afs: couldn't get v4 TGT for
bacchi_a@WEB.RPI.EDU (Can't send request (send_to_kdc)), continuing
May 21 10:43:54 ldap3 sshd[15610]: pam_krb5afs: v4 ticket conversion
succeeded for `bacchi_a'

/etc/pam.d/system-auth is:

#%PAM-1.0
auth        sufficient    /lib/security/pam_unix.so likeauth nullok
debug audit
auth        sufficient    /lib/security/pam_krb5afs.so use_first_pass
tokens
auth        required      /lib/security/pam_deny.so
account     sufficient    /lib/security/pam_unix.so
account     required      /lib/security/pam_deny.so
password    required      /lib/security/pam_cracklib.so retry=3
password    sufficient    /lib/security/pam_unix.so nullok use_authtok
md5 shadow
password    sufficient    /lib/security/pam_krb5afs.so use_authtok
password    required      /lib/security/pam_deny.so
session     required      /lib/security/pam_limits.so
session     required      /lib/security/pam_unix.so
session     optional      /lib/security/pam_krb5afs.so


-- 
Facade: Provide a unified interface to a set of interfaces in a
subsystem.

Andrew Bacchi
Staff Systems Programmer
Rensselaer Polytechnic Institute
phone: 518 276-6415  fax: 518 276-2809

http://www.rpi.edu/~bacchi/