[OpenAFS] tokens at login (pam_krb5afs module)

Douglas E. Engert deengert@anl.gov
Mon, 25 Apr 2005 16:16:45 -0500 

You have not said anything about the krb5 realm, or having added
a principal to the realm's database.

Dj Merrill wrote:
> Christopher Allen Wing wrote:
> 
>> Frode:
>>
>> The pam_krb5 module that comes with Red Hat should be able to obtain
>> tokens. Note that it may have some bugs:
>>
>>     - it may not work with dynroot enabled
>>     - it may not work when you have more than 1 AFS database server
>>
>>
>> At some point I will try to get patches to Red Hat to fix these issues,
>> but I believe it will work at least if you disable dynroot. (or if you 
>> add
>> the name of your cell to the options string in /etc/pam.d/system-auth)
>>
> 
> Hi Christopher,
>     I believe I have traced my troubles trying to get
> an AFS token at login down to this module.
> I am running RHEL 4 with all the current updates as of
> 25 Apr 2005.  I have the RH supplied version pam_krb5-2.1.2-1 installed.
> I am using the OpenAfs 1.3.81 client on this machine.
> 
>     My primary server is a RH 3.4 machine using
> the current RH 3.4 packages for Krb5 (1.2.7-42).
> I am running OpenAFS 1.2.13 here.  I am able to login
> to 3.4 machines and get AFS tokens just fine using
> pam_krb5-1.73-1.
> 
>     Under RH 4, I can authenticate against Krb 5, but
> I cannot get an AFS token (talking to the same server
> that the 3.4 machines work against).  I do not have
> dynroot enabled.  After login, I can use the RH supplied
> "afslog" command to obtain an AFS token successfully.
> 
>     I have the following as part of
> my /etc/krb5.conf:
> 
> [appdefaults]
>  pam = {
>    debug = true
>    ticket_lifetime = 86400
>    renew_lifetime = 86400
>    forwardable = true
>    krb4_convert = true
>    afs_cells = econ.duke.edu
>    minimum_uid = 1000
>  }
>  afs_krb5 = {
>    ECON.DUKE.EDU = {
>       afs = true
>    }
>  }
> 
>     and my /etc/pam.d/system-auth file contains:
> 
> auth        required      /lib/security/$ISA/pam_env.so
> auth        sufficient    /lib/security/$ISA/pam_unix.so likeauth nullok
> auth        sufficient    /lib/security/$ISA/pam_krb5afs.so 
> use_first_pass tokens afs_cells=econ.duke.edu debug
> auth        required      /lib/security/$ISA/pam_deny.so
> 
> account     required      /lib/security/$ISA/pam_unix.so
> account     sufficient    /lib/security/$ISA/pam_succeed_if.so uid < 100 
> quiet
> account     required      /lib/security/$ISA/pam_permit.so
> 
> password    requisite     /lib/security/$ISA/pam_cracklib.so retry=3
> password    sufficient    /lib/security/$ISA/pam_unix.so nullok 
> use_authtok md5 shadow
> password    sufficient    /lib/security/$ISA/pam_krb5afs.so use_authtok
> password    required      /lib/security/$ISA/pam_deny.so
> 
> session     required      /lib/security/$ISA/pam_limits.so
> session     required      /lib/security/$ISA/pam_unix.so
> session     optional      /lib/security/$ISA/pam_krb5afs.so
> 
> 
>     As per the K5 migration info, I have an afs principal:
> afs@ECON.DUKE.EDU
> however, I note that the pam_krb5afs tries several other
> combinations, but not this one exactly. 

What is the difference between the afs@ECON.DUKE.EDU above
and the one below.

  For example, it tries
> afs@ECON.DUKE.EDU, afs/econ.duke.edu@econ.duke.edu, and
> afs/econ.duke.edu@ECON.DUKE.EDU.
> 
>     Could this be where the issue is?
> 

Have you added the principal to the KR5 realm?
(Use the afs/econ.duke.edu@ECON.DUKE.EDU as this is
afs/<cell>@<realm> which is what it tries first.)
In your krb5.conf file I don't see any references to the
Kerberos realm of ECON>DUKE.EDU.


>     The debug log shows:
> 
> Apr 25 13:39:35 galactica sshd[28332]: pam_krb5[28332]: obtaining afs 
> tokens
> Apr 25 13:39:35 galactica sshd[28332]: pam_krb5[28332]: obtaining tokens 
> for 'econ.duke.edu'
> Apr 25 13:39:35 galactica sshd[28332]: pam_krb5[28332]: attempting to 
> obtain tokens for "econ.duke.edu" ("afs/econ.duke.edu@econ.duke.edu")
> Apr 25 13:39:35 galactica sshd[28332]: pam_krb5[28332]: attempting to 
> obtain tokens for "econ.duke.edu" ("afs@econ.duke.edu")
> Apr 25 13:39:35 galactica sshd[28332]: pam_krb5[28332]: attempting to 
> obtain tokens for "econ.duke.edu" ("afs/econ.duke.edu@ECON.DUKE.EDU")
> Apr 25 13:39:35 galactica sshd[28332]: pam_krb5[28332]: attempting to 
> obtain tokens for "econ.duke.edu" ("afsx/econ.duke.edu@econ.duke.edu")
> Apr 25 13:39:35 galactica sshd[28332]: pam_krb5[28332]: attempting to 
> obtain tokens for "econ.duke.edu" ("afsx@econ.duke.edu")
> Apr 25 13:39:35 galactica sshd[28332]: pam_krb5[28332]: attempting to 
> obtain tokens for "econ.duke.edu" ("afsx/econ.duke.edu@ECON.DUKE.EDU")
> Apr 25 13:39:35 galactica sshd[28332]: pam_krb5[28332]: v5 afslog (2b=0) 
> failed to "econ.duke.edu"
> Apr 25 13:39:35 galactica sshd[28332]: pam_krb5[28332]: trying with v4 
> ticket
> Apr 25 13:39:35 galactica sshd[28332]: pam_krb5[28332]: attempting to 
> obtain tokens for "econ.duke.edu" ("afs.econ.duke.edu@econ.duke.edu")
> Apr 25 13:39:35 galactica sshd[28332]: pam_krb5[28332]: got error 71 
> (Protocol error) obtaining v4 creds for "econ.duke.edu"
> Apr 25 13:39:35 galactica sshd[28332]: pam_krb5[28332]: attempting to 
> obtain tokens for "econ.duke.edu" ("afs@econ.duke.edu")
> Apr 25 13:39:35 galactica sshd[28332]: pam_krb5[28332]: got error 71 
> (Protocol error) obtaining v4 creds for "econ.duke.edu"
> Apr 25 13:39:35 galactica sshd[28332]: pam_krb5[28332]: attempting to 
> obtain tokens for "econ.duke.edu" ("afs.econ.duke.edu@ECON.DUKE.EDU")
> Apr 25 13:39:35 galactica sshd[28332]: pam_krb5[28332]: got error 8 
> (Exec format error) obtaining v4 creds for "econ.duke.edu"
> Apr 25 13:39:35 galactica sshd[28332]: pam_krb5[28332]: attempting to 
> obtain tokens for "econ.duke.edu" ("afsx.econ.duke.edu@econ.duke.edu")
> Apr 25 13:39:35 galactica sshd[28332]: pam_krb5[28332]: got error 71 
> (Protocol error) obtaining v4 creds for "econ.duke.edu"
> Apr 25 13:39:35 galactica sshd[28332]: pam_krb5[28332]: attempting to 
> obtain tokens for "econ.duke.edu" ("afsx@econ.duke.edu")
> Apr 25 13:39:35 galactica sshd[28332]: pam_krb5[28332]: got error 71 
> (Protocol error) obtaining v4 creds for "econ.duke.edu"
> Apr 25 13:39:35 galactica sshd[28332]: pam_krb5[28332]: attempting to 
> obtain tokens for "econ.duke.edu" ("afsx.econ.duke.edu@ECON.DUKE.EDU")
> Apr 25 13:39:35 galactica sshd[28332]: pam_krb5[28332]: got error 8 
> (Exec format error) obtaining v4 creds for "econ.duke.edu"
> Apr 25 13:39:35 galactica sshd[28332]: pam_krb5[28332]: v4 afslog failed 
> to "econ.duke.edu"
> Apr 25 13:39:35 galactica sshd[28332]: pam_krb5[28332]: retrying v5 with 
> 2b=1
> Apr 25 13:39:35 galactica sshd[28332]: pam_krb5[28332]: attempting to 
> obtain tokens for "econ.duke.edu" ("afs/econ.duke.edu@econ.duke.edu")
> Apr 25 13:39:35 galactica sshd[28332]: pam_krb5[28332]: attempting to 
> obtain tokens for "econ.duke.edu" ("afs@econ.duke.edu")
> Apr 25 13:39:35 galactica sshd[28332]: pam_krb5[28332]: attempting to 
> obtain tokens for "econ.duke.edu" ("afs/econ.duke.edu@ECON.DUKE.EDU")
> Apr 25 13:39:35 galactica sshd[28332]: pam_krb5[28332]: attempting to 
> obtain tokens for "econ.duke.edu" ("afsx/econ.duke.edu@econ.duke.edu")
> Apr 25 13:39:36 galactica sshd[28332]: pam_krb5[28332]: attempting to 
> obtain tokens for "econ.duke.edu" ("afsx@econ.duke.edu")
> Apr 25 13:39:36 galactica sshd[28332]: pam_krb5[28332]: attempting to 
> obtain tokens for "econ.duke.edu" ("afsx/econ.duke.edu@ECON.DUKE.EDU")
> Apr 25 13:39:36 galactica sshd[28332]: pam_krb5[28332]: v5 afslog (2b=1) 
> failed to "econ.duke.edu"
> Apr 25 13:39:36 galactica sshd[28332]: pam_krb5[28332]: got error -1 
> (Unknown code ____ 255) while obtaining tokens for econ.duke.edu
> Apr 25 13:39:36 galactica sshd[28332]: pam_krb5[28332]: obtaining tokens 
> for 'econ.duke.edu'
> Apr 25 13:39:36 galactica sshd[28332]: pam_krb5[28332]: attempting to 
> obtain tokens for "econ.duke.edu" ("afs/econ.duke.edu@econ.duke.edu")
> Apr 25 13:39:36 galactica sshd[28332]: pam_krb5[28332]: attempting to 
> obtain tokens for "econ.duke.edu" ("afs@econ.duke.edu")
> Apr 25 13:39:36 galactica sshd[28332]: pam_krb5[28332]: attempting to 
> obtain tokens for "econ.duke.edu" ("afs/econ.duke.edu@ECON.DUKE.EDU")
> Apr 25 13:39:36 galactica sshd[28332]: pam_krb5[28332]: attempting to 
> obtain tokens for "econ.duke.edu" ("afsx/econ.duke.edu@econ.duke.edu")
> Apr 25 13:39:36 galactica sshd[28332]: pam_krb5[28332]: attempting to 
> obtain tokens for "econ.duke.edu" ("afsx@econ.duke.edu")
> Apr 25 13:39:36 galactica sshd[28332]: pam_krb5[28332]: attempting to 
> obtain tokens for "econ.duke.edu" ("afsx/econ.duke.edu@ECON.DUKE.EDU")
> Apr 25 13:39:36 galactica sshd[28332]: pam_krb5[28332]: v5 afslog (2b=0) 
> failed to "econ.duke.edu"
> Apr 25 13:39:36 galactica sshd[28332]: pam_krb5[28332]: trying with v4 
> ticket
> Apr 25 13:39:36 galactica sshd[28332]: pam_krb5[28332]: attempting to 
> obtain tokens for "econ.duke.edu" ("afs.econ.duke.edu@econ.duke.edu")
> Apr 25 13:39:36 galactica sshd[28332]: pam_krb5[28332]: got error 71 
> (Protocol error) obtaining v4 creds for "econ.duke.edu"
> Apr 25 13:39:36 galactica sshd[28332]: pam_krb5[28332]: attempting to 
> obtain tokens for "econ.duke.edu" ("afs@econ.duke.edu")
> Apr 25 13:39:36 galactica sshd[28332]: pam_krb5[28332]: got error 71 
> (Protocol error) obtaining v4 creds for "econ.duke.edu"
> Apr 25 13:39:36 galactica sshd[28332]: pam_krb5[28332]: attempting to 
> obtain tokens for "econ.duke.edu" ("afs.econ.duke.edu@ECON.DUKE.EDU")
> Apr 25 13:39:36 galactica sshd[28332]: pam_krb5[28332]: got error 8 
> (Exec format error) obtaining v4 creds for "econ.duke.edu"
> Apr 25 13:39:36 galactica sshd[28332]: pam_krb5[28332]: attempting to 
> obtain tokens for "econ.duke.edu" ("afsx.econ.duke.edu@econ.duke.edu")
> Apr 25 13:39:36 galactica sshd[28332]: pam_krb5[28332]: got error 71 
> (Protocol error) obtaining v4 creds for "econ.duke.edu"
> Apr 25 13:39:36 galactica sshd[28332]: pam_krb5[28332]: attempting to 
> obtain tokens for "econ.duke.edu" ("afsx@econ.duke.edu")
> Apr 25 13:39:36 galactica sshd[28332]: pam_krb5[28332]: got error 71 
> (Protocol error) obtaining v4 creds for "econ.duke.edu"
> Apr 25 13:39:36 galactica sshd[28332]: pam_krb5[28332]: attempting to 
> obtain tokens for "econ.duke.edu" ("afsx.econ.duke.edu@ECON.DUKE.EDU")
> Apr 25 13:39:36 galactica sshd[28332]: pam_krb5[28332]: got error 8 
> (Exec format error) obtaining v4 creds for "econ.duke.edu"
> Apr 25 13:39:36 galactica sshd[28332]: pam_krb5[28332]: v4 afslog failed 
> to "econ.duke.edu"
> Apr 25 13:39:36 galactica sshd[28332]: pam_krb5[28332]: retrying v5 with 
> 2b=1
> Apr 25 13:39:36 galactica sshd[28332]: pam_krb5[28332]: attempting to 
> obtain tokens for "econ.duke.edu" ("afs/econ.duke.edu@econ.duke.edu")
> Apr 25 13:39:36 galactica sshd[28332]: pam_krb5[28332]: attempting to 
> obtain tokens for "econ.duke.edu" ("afs@econ.duke.edu")
> Apr 25 13:39:36 galactica sshd[28332]: pam_krb5[28332]: attempting to 
> obtain tokens for "econ.duke.edu" ("afs/econ.duke.edu@ECON.DUKE.EDU")
> Apr 25 13:39:36 galactica sshd[28332]: pam_krb5[28332]: attempting to 
> obtain tokens for "econ.duke.edu" ("afsx/econ.duke.edu@econ.duke.edu")
> Apr 25 13:39:36 galactica sshd[28332]: pam_krb5[28332]: attempting to 
> obtain tokens for "econ.duke.edu" ("afsx@econ.duke.edu")
> Apr 25 13:39:37 galactica sshd[28332]: pam_krb5[28332]: attempting to 
> obtain tokens for "econ.duke.edu" ("afsx/econ.duke.edu@ECON.DUKE.EDU")
> Apr 25 13:39:37 galactica sshd[28332]: pam_krb5[28332]: v5 afslog (2b=1) 
> failed to "econ.duke.edu"
> Apr 25 13:39:37 galactica sshd[28332]: pam_krb5[28332]: got error -1 
> (Unknown code ____ 255) while obtaining tokens for econ.duke.edu
> Apr 25 13:39:37 galactica sshd[28332]: pam_krb5[28332]: removing ticket 
> file '/tmp/tkt0_DfRMqS'
> Apr 25 13:39:37 galactica sshd[28332]: pam_krb5[28332]: removing ccache 
> file '/tmp/krb5cc_0_QOt6KQ'
> Apr 25 13:39:37 galactica sshd[28332]: pam_krb5[28332]: creating v5 
> ccache for 'deej'
> Apr 25 13:39:37 galactica sshd[28332]: pam_krb5[28332]: saving v5 
> credentials to 'FILE:/tmp/krb5cc_1001_d1tFiY'
> Apr 25 13:39:37 galactica sshd[28332]: pam_krb5[28332]: created v5 
> ccache '/tmp/krb5cc_1001_WN3qGK' for 'deej'
> Apr 25 13:39:37 galactica sshd[28332]: pam_krb5[28332]: creating v4 
> ticket file for 'deej'
> Apr 25 13:39:37 galactica sshd[28332]: pam_krb5[28332]: saving v4 
> tickets to '/tmp/tkt1001_vySyzp'
> Apr 25 13:39:37 galactica sshd[28332]: pam_krb5[28332]: created v4 
> ticket file '/tmp/tkt1001_bA73kJ' for 'deej'
> Apr 25 13:39:37 galactica sshd[28332]: pam_krb5[28332]: pam_open_session 
> returning 0 (Success)
> Apr 25 13:39:37 galactica sshd[28332]: pam_krb5[28332]: configured realm 
> 'ECON.DUKE.EDU'
> Apr 25 13:39:37 galactica sshd[28332]: pam_krb5[28332]: flags: forwardable
> Apr 25 13:39:37 galactica sshd[28332]: pam_krb5[28332]: flag: no ignore_afs
> Apr 25 13:39:37 galactica sshd[28332]: pam_krb5[28332]: flag: tokens
> Apr 25 13:39:37 galactica sshd[28332]: pam_krb5[28332]: flag: user_check
> Apr 25 13:39:37 galactica sshd[28332]: pam_krb5[28332]: flag: krb4_convert
> Apr 25 13:39:37 galactica sshd[28332]: pam_krb5[28332]: flag: warn
> Apr 25 13:39:37 galactica sshd[28332]: pam_krb5[28332]: ticket lifetime: 
> 86400
> Apr 25 13:39:37 galactica sshd[28332]: pam_krb5[28332]: renewable 
> lifetime: 86400
> Apr 25 13:39:37 galactica sshd[28332]: pam_krb5[28332]: minimum uid: 1000
> Apr 25 13:39:37 galactica sshd[28332]: pam_krb5[28332]: banner: Kerberos 5
> Apr 25 13:39:37 galactica sshd[28332]: pam_krb5[28332]: ccache dir: /tmp
> Apr 25 13:39:37 galactica sshd[28332]: pam_krb5[28332]: keytab: 
> /etc/krb5.keytabApr 25 13:39:37 galactica sshd[28332]: pam_krb5[28332]: 
> afs cell: econ.duke.edu
> Apr 25 13:39:37 galactica sshd[28332]: pam_krb5[28332]: called to update 
> credentials for 'deej'
> Apr 25 13:39:37 galactica sshd[28332]: pam_krb5[28332]: 
> _pam_krb5_sly_refresh returning 0 (Success)
> 
> Thanks for any help you may have to offer,
>
> -Dj
> 

-- 

  Douglas E. Engert  <DEEngert@anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444