[OpenAFS] tokens at login (pam_krb5afs module)
Dj Merrill
deej@thayer.dartmouth.edu
Mon, 25 Apr 2005 16:55:04 -0400
Christopher Allen Wing wrote:
> Frode:
>
> The pam_krb5 module that comes with Red Hat should be able to obtain
> tokens. Note that it may have some bugs:
>
> - it may not work with dynroot enabled
> - it may not work when you have more than 1 AFS database server
>
>
> At some point I will try to get patches to Red Hat to fix these issues,
> but I believe it will work at least if you disable dynroot. (or if you add
> the name of your cell to the options string in /etc/pam.d/system-auth)
>
Hi Christopher,
I believe I have traced my troubles trying to get
an AFS token at login down to this module.
I am running RHEL 4 with all the current updates as of
25 Apr 2005. I have the RH supplied version pam_krb5-2.1.2-1 installed.
I am using the OpenAfs 1.3.81 client on this machine.
My primary server is a RH 3.4 machine using
the current RH 3.4 packages for Krb5 (1.2.7-42).
I am running OpenAFS 1.2.13 here. I am able to login
to 3.4 machines and get AFS tokens just fine using
pam_krb5-1.73-1.
Under RH 4, I can authenticate against Krb 5, but
I cannot get an AFS token (talking to the same server
that the 3.4 machines work against). I do not have
dynroot enabled. After login, I can use the RH supplied
"afslog" command to obtain an AFS token successfully.
I have the following as part of
my /etc/krb5.conf:
[appdefaults]
pam = {
debug = true
ticket_lifetime = 86400
renew_lifetime = 86400
forwardable = true
krb4_convert = true
afs_cells = econ.duke.edu
minimum_uid = 1000
}
afs_krb5 = {
ECON.DUKE.EDU = {
afs = true
}
}
and my /etc/pam.d/system-auth file contains:
auth required /lib/security/$ISA/pam_env.so
auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok
auth sufficient /lib/security/$ISA/pam_krb5afs.so
use_first_pass tokens afs_cells=econ.duke.edu debug
auth required /lib/security/$ISA/pam_deny.so
account required /lib/security/$ISA/pam_unix.so
account sufficient /lib/security/$ISA/pam_succeed_if.so uid < 100
quiet
account required /lib/security/$ISA/pam_permit.so
password requisite /lib/security/$ISA/pam_cracklib.so retry=3
password sufficient /lib/security/$ISA/pam_unix.so nullok
use_authtok md5 shadow
password sufficient /lib/security/$ISA/pam_krb5afs.so use_authtok
password required /lib/security/$ISA/pam_deny.so
session required /lib/security/$ISA/pam_limits.so
session required /lib/security/$ISA/pam_unix.so
session optional /lib/security/$ISA/pam_krb5afs.so
As per the K5 migration info, I have an afs principal:
afs@ECON.DUKE.EDU
however, I note that the pam_krb5afs tries several other
combinations, but not this one exactly. For example, it tries
afs@ECON.DUKE.EDU, afs/econ.duke.edu@econ.duke.edu, and
afs/econ.duke.edu@ECON.DUKE.EDU.
Could this be where the issue is?
The debug log shows:
Apr 25 13:39:35 galactica sshd[28332]: pam_krb5[28332]: obtaining afs tokens
Apr 25 13:39:35 galactica sshd[28332]: pam_krb5[28332]: obtaining tokens
for 'econ.duke.edu'
Apr 25 13:39:35 galactica sshd[28332]: pam_krb5[28332]: attempting to
obtain tokens for "econ.duke.edu" ("afs/econ.duke.edu@econ.duke.edu")
Apr 25 13:39:35 galactica sshd[28332]: pam_krb5[28332]: attempting to
obtain tokens for "econ.duke.edu" ("afs@econ.duke.edu")
Apr 25 13:39:35 galactica sshd[28332]: pam_krb5[28332]: attempting to
obtain tokens for "econ.duke.edu" ("afs/econ.duke.edu@ECON.DUKE.EDU")
Apr 25 13:39:35 galactica sshd[28332]: pam_krb5[28332]: attempting to
obtain tokens for "econ.duke.edu" ("afsx/econ.duke.edu@econ.duke.edu")
Apr 25 13:39:35 galactica sshd[28332]: pam_krb5[28332]: attempting to
obtain tokens for "econ.duke.edu" ("afsx@econ.duke.edu")
Apr 25 13:39:35 galactica sshd[28332]: pam_krb5[28332]: attempting to
obtain tokens for "econ.duke.edu" ("afsx/econ.duke.edu@ECON.DUKE.EDU")
Apr 25 13:39:35 galactica sshd[28332]: pam_krb5[28332]: v5 afslog (2b=0)
failed to "econ.duke.edu"
Apr 25 13:39:35 galactica sshd[28332]: pam_krb5[28332]: trying with v4
ticket
Apr 25 13:39:35 galactica sshd[28332]: pam_krb5[28332]: attempting to
obtain tokens for "econ.duke.edu" ("afs.econ.duke.edu@econ.duke.edu")
Apr 25 13:39:35 galactica sshd[28332]: pam_krb5[28332]: got error 71
(Protocol error) obtaining v4 creds for "econ.duke.edu"
Apr 25 13:39:35 galactica sshd[28332]: pam_krb5[28332]: attempting to
obtain tokens for "econ.duke.edu" ("afs@econ.duke.edu")
Apr 25 13:39:35 galactica sshd[28332]: pam_krb5[28332]: got error 71
(Protocol error) obtaining v4 creds for "econ.duke.edu"
Apr 25 13:39:35 galactica sshd[28332]: pam_krb5[28332]: attempting to
obtain tokens for "econ.duke.edu" ("afs.econ.duke.edu@ECON.DUKE.EDU")
Apr 25 13:39:35 galactica sshd[28332]: pam_krb5[28332]: got error 8
(Exec format error) obtaining v4 creds for "econ.duke.edu"
Apr 25 13:39:35 galactica sshd[28332]: pam_krb5[28332]: attempting to
obtain tokens for "econ.duke.edu" ("afsx.econ.duke.edu@econ.duke.edu")
Apr 25 13:39:35 galactica sshd[28332]: pam_krb5[28332]: got error 71
(Protocol error) obtaining v4 creds for "econ.duke.edu"
Apr 25 13:39:35 galactica sshd[28332]: pam_krb5[28332]: attempting to
obtain tokens for "econ.duke.edu" ("afsx@econ.duke.edu")
Apr 25 13:39:35 galactica sshd[28332]: pam_krb5[28332]: got error 71
(Protocol error) obtaining v4 creds for "econ.duke.edu"
Apr 25 13:39:35 galactica sshd[28332]: pam_krb5[28332]: attempting to
obtain tokens for "econ.duke.edu" ("afsx.econ.duke.edu@ECON.DUKE.EDU")
Apr 25 13:39:35 galactica sshd[28332]: pam_krb5[28332]: got error 8
(Exec format error) obtaining v4 creds for "econ.duke.edu"
Apr 25 13:39:35 galactica sshd[28332]: pam_krb5[28332]: v4 afslog failed
to "econ.duke.edu"
Apr 25 13:39:35 galactica sshd[28332]: pam_krb5[28332]: retrying v5 with
2b=1
Apr 25 13:39:35 galactica sshd[28332]: pam_krb5[28332]: attempting to
obtain tokens for "econ.duke.edu" ("afs/econ.duke.edu@econ.duke.edu")
Apr 25 13:39:35 galactica sshd[28332]: pam_krb5[28332]: attempting to
obtain tokens for "econ.duke.edu" ("afs@econ.duke.edu")
Apr 25 13:39:35 galactica sshd[28332]: pam_krb5[28332]: attempting to
obtain tokens for "econ.duke.edu" ("afs/econ.duke.edu@ECON.DUKE.EDU")
Apr 25 13:39:35 galactica sshd[28332]: pam_krb5[28332]: attempting to
obtain tokens for "econ.duke.edu" ("afsx/econ.duke.edu@econ.duke.edu")
Apr 25 13:39:36 galactica sshd[28332]: pam_krb5[28332]: attempting to
obtain tokens for "econ.duke.edu" ("afsx@econ.duke.edu")
Apr 25 13:39:36 galactica sshd[28332]: pam_krb5[28332]: attempting to
obtain tokens for "econ.duke.edu" ("afsx/econ.duke.edu@ECON.DUKE.EDU")
Apr 25 13:39:36 galactica sshd[28332]: pam_krb5[28332]: v5 afslog (2b=1)
failed to "econ.duke.edu"
Apr 25 13:39:36 galactica sshd[28332]: pam_krb5[28332]: got error -1
(Unknown code ____ 255) while obtaining tokens for econ.duke.edu
Apr 25 13:39:36 galactica sshd[28332]: pam_krb5[28332]: obtaining tokens
for 'econ.duke.edu'
Apr 25 13:39:36 galactica sshd[28332]: pam_krb5[28332]: attempting to
obtain tokens for "econ.duke.edu" ("afs/econ.duke.edu@econ.duke.edu")
Apr 25 13:39:36 galactica sshd[28332]: pam_krb5[28332]: attempting to
obtain tokens for "econ.duke.edu" ("afs@econ.duke.edu")
Apr 25 13:39:36 galactica sshd[28332]: pam_krb5[28332]: attempting to
obtain tokens for "econ.duke.edu" ("afs/econ.duke.edu@ECON.DUKE.EDU")
Apr 25 13:39:36 galactica sshd[28332]: pam_krb5[28332]: attempting to
obtain tokens for "econ.duke.edu" ("afsx/econ.duke.edu@econ.duke.edu")
Apr 25 13:39:36 galactica sshd[28332]: pam_krb5[28332]: attempting to
obtain tokens for "econ.duke.edu" ("afsx@econ.duke.edu")
Apr 25 13:39:36 galactica sshd[28332]: pam_krb5[28332]: attempting to
obtain tokens for "econ.duke.edu" ("afsx/econ.duke.edu@ECON.DUKE.EDU")
Apr 25 13:39:36 galactica sshd[28332]: pam_krb5[28332]: v5 afslog (2b=0)
failed to "econ.duke.edu"
Apr 25 13:39:36 galactica sshd[28332]: pam_krb5[28332]: trying with v4
ticket
Apr 25 13:39:36 galactica sshd[28332]: pam_krb5[28332]: attempting to
obtain tokens for "econ.duke.edu" ("afs.econ.duke.edu@econ.duke.edu")
Apr 25 13:39:36 galactica sshd[28332]: pam_krb5[28332]: got error 71
(Protocol error) obtaining v4 creds for "econ.duke.edu"
Apr 25 13:39:36 galactica sshd[28332]: pam_krb5[28332]: attempting to
obtain tokens for "econ.duke.edu" ("afs@econ.duke.edu")
Apr 25 13:39:36 galactica sshd[28332]: pam_krb5[28332]: got error 71
(Protocol error) obtaining v4 creds for "econ.duke.edu"
Apr 25 13:39:36 galactica sshd[28332]: pam_krb5[28332]: attempting to
obtain tokens for "econ.duke.edu" ("afs.econ.duke.edu@ECON.DUKE.EDU")
Apr 25 13:39:36 galactica sshd[28332]: pam_krb5[28332]: got error 8
(Exec format error) obtaining v4 creds for "econ.duke.edu"
Apr 25 13:39:36 galactica sshd[28332]: pam_krb5[28332]: attempting to
obtain tokens for "econ.duke.edu" ("afsx.econ.duke.edu@econ.duke.edu")
Apr 25 13:39:36 galactica sshd[28332]: pam_krb5[28332]: got error 71
(Protocol error) obtaining v4 creds for "econ.duke.edu"
Apr 25 13:39:36 galactica sshd[28332]: pam_krb5[28332]: attempting to
obtain tokens for "econ.duke.edu" ("afsx@econ.duke.edu")
Apr 25 13:39:36 galactica sshd[28332]: pam_krb5[28332]: got error 71
(Protocol error) obtaining v4 creds for "econ.duke.edu"
Apr 25 13:39:36 galactica sshd[28332]: pam_krb5[28332]: attempting to
obtain tokens for "econ.duke.edu" ("afsx.econ.duke.edu@ECON.DUKE.EDU")
Apr 25 13:39:36 galactica sshd[28332]: pam_krb5[28332]: got error 8
(Exec format error) obtaining v4 creds for "econ.duke.edu"
Apr 25 13:39:36 galactica sshd[28332]: pam_krb5[28332]: v4 afslog failed
to "econ.duke.edu"
Apr 25 13:39:36 galactica sshd[28332]: pam_krb5[28332]: retrying v5 with
2b=1
Apr 25 13:39:36 galactica sshd[28332]: pam_krb5[28332]: attempting to
obtain tokens for "econ.duke.edu" ("afs/econ.duke.edu@econ.duke.edu")
Apr 25 13:39:36 galactica sshd[28332]: pam_krb5[28332]: attempting to
obtain tokens for "econ.duke.edu" ("afs@econ.duke.edu")
Apr 25 13:39:36 galactica sshd[28332]: pam_krb5[28332]: attempting to
obtain tokens for "econ.duke.edu" ("afs/econ.duke.edu@ECON.DUKE.EDU")
Apr 25 13:39:36 galactica sshd[28332]: pam_krb5[28332]: attempting to
obtain tokens for "econ.duke.edu" ("afsx/econ.duke.edu@econ.duke.edu")
Apr 25 13:39:36 galactica sshd[28332]: pam_krb5[28332]: attempting to
obtain tokens for "econ.duke.edu" ("afsx@econ.duke.edu")
Apr 25 13:39:37 galactica sshd[28332]: pam_krb5[28332]: attempting to
obtain tokens for "econ.duke.edu" ("afsx/econ.duke.edu@ECON.DUKE.EDU")
Apr 25 13:39:37 galactica sshd[28332]: pam_krb5[28332]: v5 afslog (2b=1)
failed to "econ.duke.edu"
Apr 25 13:39:37 galactica sshd[28332]: pam_krb5[28332]: got error -1
(Unknown code ____ 255) while obtaining tokens for econ.duke.edu
Apr 25 13:39:37 galactica sshd[28332]: pam_krb5[28332]: removing ticket
file '/tmp/tkt0_DfRMqS'
Apr 25 13:39:37 galactica sshd[28332]: pam_krb5[28332]: removing ccache
file '/tmp/krb5cc_0_QOt6KQ'
Apr 25 13:39:37 galactica sshd[28332]: pam_krb5[28332]: creating v5
ccache for 'deej'
Apr 25 13:39:37 galactica sshd[28332]: pam_krb5[28332]: saving v5
credentials to 'FILE:/tmp/krb5cc_1001_d1tFiY'
Apr 25 13:39:37 galactica sshd[28332]: pam_krb5[28332]: created v5
ccache '/tmp/krb5cc_1001_WN3qGK' for 'deej'
Apr 25 13:39:37 galactica sshd[28332]: pam_krb5[28332]: creating v4
ticket file for 'deej'
Apr 25 13:39:37 galactica sshd[28332]: pam_krb5[28332]: saving v4
tickets to '/tmp/tkt1001_vySyzp'
Apr 25 13:39:37 galactica sshd[28332]: pam_krb5[28332]: created v4
ticket file '/tmp/tkt1001_bA73kJ' for 'deej'
Apr 25 13:39:37 galactica sshd[28332]: pam_krb5[28332]: pam_open_session
returning 0 (Success)
Apr 25 13:39:37 galactica sshd[28332]: pam_krb5[28332]: configured realm
'ECON.DUKE.EDU'
Apr 25 13:39:37 galactica sshd[28332]: pam_krb5[28332]: flags: forwardable
Apr 25 13:39:37 galactica sshd[28332]: pam_krb5[28332]: flag: no ignore_afs
Apr 25 13:39:37 galactica sshd[28332]: pam_krb5[28332]: flag: tokens
Apr 25 13:39:37 galactica sshd[28332]: pam_krb5[28332]: flag: user_check
Apr 25 13:39:37 galactica sshd[28332]: pam_krb5[28332]: flag: krb4_convert
Apr 25 13:39:37 galactica sshd[28332]: pam_krb5[28332]: flag: warn
Apr 25 13:39:37 galactica sshd[28332]: pam_krb5[28332]: ticket lifetime:
86400
Apr 25 13:39:37 galactica sshd[28332]: pam_krb5[28332]: renewable
lifetime: 86400
Apr 25 13:39:37 galactica sshd[28332]: pam_krb5[28332]: minimum uid: 1000
Apr 25 13:39:37 galactica sshd[28332]: pam_krb5[28332]: banner: Kerberos 5
Apr 25 13:39:37 galactica sshd[28332]: pam_krb5[28332]: ccache dir: /tmp
Apr 25 13:39:37 galactica sshd[28332]: pam_krb5[28332]: keytab:
/etc/krb5.keytabApr 25 13:39:37 galactica sshd[28332]: pam_krb5[28332]:
afs cell: econ.duke.edu
Apr 25 13:39:37 galactica sshd[28332]: pam_krb5[28332]: called to update
credentials for 'deej'
Apr 25 13:39:37 galactica sshd[28332]: pam_krb5[28332]:
_pam_krb5_sly_refresh returning 0 (Success)
Thanks for any help you may have to offer,
-Dj
--
Dj Merrill
Sportsman 2+2 Builder #7118
"TSA: Totally Screwing Aviation"