[OpenAFS] tokens at login

Dj Merrill deej@thayer.dartmouth.edu
Thu, 07 Apr 2005 11:41:59 -0400 

Hi all,
	I'm banging my head on a problem and thought one of
you might have a hint that will help me solve this.

	I have a CentOS 3.4 server (basically RHEL 3.4)
running Krb5 and OpenAFS 1.2.13.  I am able to login
to the machine with my test account against Krb5 and
obtain an AFS token at login.  It has the following
krb related pacakges installed:
[root]# rpm -q -a | grep -i krb | sort
krb5-devel-1.2.7-42
krb5-libs-1.2.7-42
krb5-server-1.2.7-42
krb5-workstation-1.2.7-42
krbafs-1.1.1-11
krbafs-devel-1.1.1-11
krbafs-utils-1.1.1-11
pam_krb5-1.73-1


	I have a RHEL 4 system that I have setup as a client
running OpenAFS 1.3.81.
I have the same krb5.conf, krb.conf and krb.realms files
on the client, and I am able to successfully
authenticate against Krb5 and login, but I am unable to
get a token at login time.  It has the following:
[root]# rpm -q -a | grep -i krb | sort
krb5-auth-dialog-0.2-1
krb5-devel-1.3.4-12
krb5-libs-1.3.4-12
krb5-workstation-1.3.4-12
krbafs-1.2.2-6
krbafs-devel-1.2.2-6
krbafs-utils-1.2.2-6
pam_krb5-2.1.2-1

	However, I can issue the "afslog" command after login
and it obtains an AFS token just fine with no errors.

	In the logs I get:

Apr  7 11:14:08 galactica sshd[9019]: pam_krb5[9019]: got error -1 
(Unknown code ____ 255) while obtaining tokens for mytest.dartmouth.edu

	My /etc/pam.d/system-auth file on both machines looks like:

auth        required      /lib/security/$ISA/pam_env.so
auth        sufficient    /lib/security/$ISA/pam_unix.so likeauth nullok
auth        sufficient    /lib/security/$ISA/pam_krb5afs.so 
use_first_pass tokens
auth        required      /lib/security/$ISA/pam_deny.so

account     required      /lib/security/$ISA/pam_unix.so
account     sufficient    /lib/security/$ISA/pam_succeed_if.so uid < 100 
quiet
account     required      /lib/security/$ISA/pam_permit.so

password    requisite     /lib/security/$ISA/pam_cracklib.so retry=3
password    sufficient    /lib/security/$ISA/pam_unix.so nullok 
use_authtok md5 shadow
password    sufficient    /lib/security/$ISA/pam_krb5afs.so use_authtok
password    required      /lib/security/$ISA/pam_deny.so

session     required      /lib/security/$ISA/pam_limits.so
session     required      /lib/security/$ISA/pam_unix.so
session     optional      /lib/security/$ISA/pam_krb5afs.so


	I've tested with no firewalls running on either machine.

	Any ideas?  Any thoughts would be appreciated.

Thanks,

-Dj

-- 
Dj Merrill
deej@thayer.dartmouth.edu

"TSA: Totally Screwing Aviation"