[OpenAFS] tokens at login (pam_krb5afs module)
Douglas E. Engert
deengert@anl.gov
Tue, 26 Apr 2005 13:28:28 -0500
Dj Merrill wrote:
> Douglas E. Engert wrote:
>
>> You have not said anything about the krb5 realm, or having added
>> a principal to the realm's database.
>
>
> Hi Douglas,
> I have a completely working system using all RHEL 3.4 machines.
> Krb5 is setup and working, corresponding principals are in the database,
> and RHEL 3.4 clients are functioning fine.
>
> I'm trying to add RHEL 4 into the mix, and am running into
> problems obtaining tokens at login. I can login via Krb5, and I can
> get tokens via "afslog" after login. AFS seems to be working fine
> (after obtaining a token manually).
>
> My best guess at this point is that the behaviour of
> the pam_krb5 module has changed from RHEL 3.4 to RHEL 4
> (pam_krb5 version change from 1.73-1 to 2.1.2-1), and this
> is causing my problems.
>
>
>>> As per the K5 migration info, I have an afs principal:
>>> afs@ECON.DUKE.EDU
>>> however, I note that the pam_krb5afs tries several other
>>> combinations, but not this one exactly.
>>
>>
>>
>> What is the difference between the afs@ECON.DUKE.EDU above
>> and the one below.
>
>
> My apologies, I mistyped - that should have read that it tries:
> Apr 25 13:39:35 galactica sshd[28332]: pam_krb5[28332]: attempting to
> obtain tokens for "econ.duke.edu" ("afs/econ.duke.edu@econ.duke.edu")
> Apr 25 13:39:35 galactica sshd[28332]: pam_krb5[28332]: attempting to
> obtain tokens for "econ.duke.edu" ("afs@econ.duke.edu")
> Apr 25 13:39:35 galactica sshd[28332]: pam_krb5[28332]: attempting to
> obtain tokens for "econ.duke.edu" ("afs/econ.duke.edu@ECON.DUKE.EDU")
>
> It does NOT try afs@ECON.DUKE.EDU, which is the correct
> entry in the database (according to Step 4, subsection 3 of the
> Krb 5 AFS migration kit). Please note that this works fine AS-IS for
> RHEL 3.4 machines.
>
>
>
>> Have you added the principal to the KR5 realm?
>> (Use the afs/econ.duke.edu@ECON.DUKE.EDU as this is
>> afs/<cell>@<realm> which is what it tries first.)
>
>
> If I change afs@ECON.DUKE.EDU to
> afs/econ.duke.edu@ECON.DUKE.EDU, won't that break
> my existing and working RHEL 3.4 machines?
If you change it, yes it would break.
> Or are you suggesting that I have both entries?
Yes.
> Don't the kvno numbers have to match between the
> AFS Keyfile and Kerberos databases
Yes as well as the key.
(I'm inferring this from
> the Krb migration kit), so I can only have one entry here?
No, the KeyFile can have 8 keys, each with a different kvno.
The principal name is not stored in the KeyFile, just the
DES keys and kvnos. Its size is 4 byte number of keys,
+ 8*( 8 byte des key + 4 byte kvno).
So if the afs@ECON.DUKE.EDU uses a key with kvno 1,
the afs/econ.duke.edu@ECON.DUKE.EDU could use kvno 30.
The AFS server will take the kvno and look up the key
in the KeyFile.
Much of the confusion comes down to what is the difference
between a AFS cell and a Kerberos Realm. When AFS came with
Krb5 in the kaserver, they where essentially the same. But
I like to view them as different, with the AFS cell accepting
authentication tokens from a number of sources and an AFS user
could be mapped from the credentials used to authenticate
to the AFS cell. (gssklog with Globus is an example,
as is using krb524d to remap krb5 principals to AFS users.)
>
>> In your krb5.conf file I don't see any references to the
>> Kerberos realm of ECON>DUKE.EDU.
>
>
> I didn't send a complete krb5.conf file as I was trying
> for brevity, but here it is:
>
> [logging]
> default = FILE:/var/log/krb5libs.log
> kdc = FILE:/var/log/krb5kdc.log
> admin_server = FILE:/var/log/kadmind.log
>
> [libdefaults]
> ticket_lifetime = 24000
> default_realm = ECON.DUKE.EDU
> dns_lookup_realm = false
> dns_lookup_kdc = false
>
> [realms]
> ECON.DUKE.EDU = {
> kdc = kdc-1.econ.duke.edu:88
> kdc = kdc-2.econ.duke.edu:88
> admin_server = kdc-1.econ.duke.edu:749
> default_domain = econ.duke.edu
> }
>
> [domain_realm]
> .econ.duke.edu = ECON.DUKE.EDU
> econ.duke.edu = ECON.DUKE.EDU
>
> [kdc]
> profile = /var/kerberos/krb5kdc/kdc.conf
>
> [appdefaults]
> pam = {
> debug = true
> ticket_lifetime = 86400
> renew_lifetime = 86400
> forwardable = true
> krb4_convert = true
> afs_cells = econ.duke.edu
> minimum_uid = 1000
> }
> afs_krb5 = {
> ECON.DUKE.EDU = {
> afs = true
> }
> }
>
>
>
> Thanks again,
>
> -Dj
>
>
--
Douglas E. Engert <DEEngert@anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444