[OpenAFS] kerberos + pam

Maurizio Santini msantini@pictage.com.ar
Thu, 14 Oct 2004 14:08:15 -0300


I have installed MIT KerberosV version 1.3.4 on RedHat7.3 (master kdc)
and RedHat9 (client) and I'm using openafs 1.2.11.

The following is my /etc/pam.d/login (system-auth is the same) and I
have the following problems:
---------------------------------------------
auth       required     /lib/security/pam_securetty.so
auth       required     /lib/security/pam_nologin.so
#auth      sufficient   /lib/security/pam_afs.krb.so use_first_pass
auth       sufficient   /lib/security/pam_krb5afs.so use_first_pass
auth       required     /lib/security/pam_stack.so service=system-auth
account    sufficient   /lib/security/pam_ldap.so
account    required     /lib/security/pam_stack.so service=system-auth
password   sufficient   /lib/security/pam_krb5.so use_authtok
password   required     /lib/security/pam_stack.so service=system-auth
session    optional     /lib/security/pam_krb5afs.so
session    required     /lib/security/pam_stack.so service=system-auth
session    optional     /lib/security/pam_console.so
---------------------------------------------
1) When I use the module provided by kerberos package (pam_krb5afs.so) I
get the following from /var/log/messages:
pam_krb5afs: couldn't get v4 TGT for mauri2@TEST.PICTAGE.COM.AR (Can't
send request (send_to_kdc)), continuing
Oct 13 18:40:07 opr011 pam_afs: AFS Password required but not supplied
by user mauri2
Oct 13 18:40:07 opr011 login: pam_krb5afs: v4 ticket conversion failed
for `mauri2': -1750206208 (Unknown code k524 0)
Oct 13 18:40:07 opr011  -- mauri2: LOGIN ON tty1 BY mauri2

In this case I can login I get the ticket but not the token.

2) If I use the same module provided by
http://sourceforge.net/projects/pam-krb5/ it results to this:
Oct 14 11:43:02 opr011 login[11395]: pam_krb5afs: authentication
succeeds for `mauri2'
Oct 14 11:43:02 opr011 login[11395]: pam_krb5afs: v4 ticket conversion
succeeded for `mauri2'
Oct 14 11:43:02 opr011 login(pam_unix)[11395]: session opened for user
mauri2 by (uid=0)
Oct 14 11:43:08 opr011  -- mauri2[11395]: LOGIN ON tty3 BY mauri2

Again I can login I get the ticket but not the token.

3) If I use the module pam_afs.krb.so provided by the openafs rpms I get
the following:
Oct 14 13:24:39 opr011 pam_afs[12394]: AFS Password required but not
supplied by user mauri2
Oct 14 13:24:42 opr011 login(pam_unix)[12394]: session opened for user
mauri2 by (uid=0)
Oct 14 13:24:42 opr011  -- mauri2: LOGIN ON tty3 BY mauri2

In this case I can login, get the ticket and the token.  If I remove the
user with kas delete I cannot login anymore (to my understanding only
one KerberosV user should be needed otherwise is like maintaining to
databases).  kaserver is running (if I shut it down the login prompts
hang few seconds before letting me in, don't know why).

Any ideas what could be wrong?  I'm not using any aklog or fakeka.

Thanks for your help,

Maurizio Santini
System adminstrator
Ten Roses SRL