[OpenAFS] trouble with pam_krb5
Kurt Seiffert
seiffert@indiana.edu
Wed, 13 Jul 2005 15:42:22 -0500
--Apple-Mail-3--901261807
Content-Transfer-Encoding: 7bit
Content-Type: text/plain;
charset=US-ASCII;
delsp=yes;
format=flowed
I'm trying to use pam_krb5 with a RHEL AS v4 system. I am
successfully authenticated and get logged in, but I do not get AFS
tokens or even have K5 tickets in the cache. It's like the module is
successfully authenticating against the KDC, but is unable to store
the K5 tickets. I'm logging in through ssh. I can kinit and aklog to
get tokens.
If I kinit and do not destroy the cache on logout, then I can login
again and the cache is untouched. I put a line in my /etc/profile.d/
krb.sh file to run aklog and that works fine if the previous login
left tickets in the cache.
If I use the same configuration on a RHEL WS v3 system it works
perfectly. All my tickets are in the cache correctly and I get my
tokens to AFS, without the use of aklog.
Here is my ssh and system-auth pam configuration files:
> #%PAM-1.0
> # This file is auto-generated.
> # User changes will be destroyed the next time authconfig is run.
> auth required /lib/security/$ISA/pam_env.so
> auth sufficient /lib/security/$ISA/pam_unix.so likeauth
> nullok
> auth sufficient /lib/security/$ISA/pam_krb5afs.so
> use_first_pass tokens
> auth required /lib/security/$ISA/pam_deny.so
>
> account required /lib/security/$ISA/pam_unix.so broken_shadow
> account sufficient /lib/security/$ISA/pam_localuser.so
> account sufficient /lib/security/$ISA/pam_succeed_if.so uid
> < 100 quiet
> account [default=bad success=ok user_unknown=ignore] /lib/
> security/$ISA/pam_krb5afs.so
> account required /lib/security/$ISA/pam_permit.so
>
> password requisite /lib/security/$ISA/pam_cracklib.so retry=3
> password sufficient /lib/security/$ISA/pam_unix.so nullok
> use_authtok md5 shadow
> password sufficient /lib/security/$ISA/pam_krb5afs.so
> use_authtok
> password required /lib/security/$ISA/pam_deny.so
>
> session required /lib/security/$ISA/pam_limits.so
> session required /lib/security/$ISA/pam_unix.so
> session optional /lib/security/$ISA/pam_krb5afs.so
> #%PAM-1.0
> auth required pam_stack.so service=system-auth
> auth required pam_nologin.so
> account required pam_stack.so service=system-auth
> password required pam_stack.so service=system-auth
> session required pam_stack.so service=system-auth
Here is the /etc/krb5.conf PAM section:
> [appdefaults]
> pam = {
> debug = true
> ticket_lifetime = 36000
> renew_lifetime = 36000
> forwardable = false
> krb4_convert = false
> }
Here is the debug output from pam_krb5:
> Jul 13 15:35:33 rufus1 sshd(pam_unix)[15636]: authentication
> failure; logname= uid=0 euid=0 tty=ssh ruser=
> rhost=intrigue.ucs.indiana.edu user=seiffert
> Jul 13 15:35:33 rufus1 sshd[15636]: pam_krb5[15636]: configured
> realm 'RFSTEST.IU.EDU'
> Jul 13 15:35:33 rufus1 sshd[15636]: pam_krb5[15636]: flags: not
> forwardable
> Jul 13 15:35:33 rufus1 sshd[15636]: pam_krb5[15636]: flag: no
> ignore_afs
> Jul 13 15:35:33 rufus1 sshd[15636]: pam_krb5[15636]: flag: tokens
> Jul 13 15:35:33 rufus1 sshd[15636]: pam_krb5[15636]: flag: user_check
> Jul 13 15:35:33 rufus1 sshd[15636]: pam_krb5[15636]: flag: no
> krb4_convert
> Jul 13 15:35:33 rufus1 sshd[15636]: pam_krb5[15636]: flag: warn
> Jul 13 15:35:33 rufus1 sshd[15636]: pam_krb5[15636]: ticket
> lifetime: 36000
> Jul 13 15:35:33 rufus1 sshd[15636]: pam_krb5[15636]: renewable
> lifetime: 36000
> Jul 13 15:35:33 rufus1 sshd[15636]: pam_krb5[15636]: banner:
> Kerberos 5
> Jul 13 15:35:33 rufus1 sshd[15636]: pam_krb5[15636]: ccache dir: /tmp
> Jul 13 15:35:33 rufus1 sshd[15636]: pam_krb5[15636]: keytab: /etc/
> krb5.keytab
> Jul 13 15:35:33 rufus1 sshd[15636]: pam_krb5[15636]: called to
> authenticate 'seiffert'
> Jul 13 15:35:33 rufus1 sshd[15636]: pam_krb5[15636]: authenticating
> 'seiffert@RFSTEST.IU.EDU'
> Jul 13 15:35:33 rufus1 sshd[15636]: pam_krb5[15636]: trying
> previously-entered password for 'seiffert'
> Jul 13 15:35:33 rufus1 sshd[15636]: pam_krb5[15636]: authenticating
> 'seiffert@RFSTEST.IU.EDU' to 'krbtgt/RFSTEST.IU.EDU@RFSTEST.IU.EDU'
> Jul 13 15:35:33 rufus1 sshd[15636]: pam_krb5[15636]:
> krb5_get_init_creds_password(krbtgt/RFSTEST.IU.EDU@RFSTEST.IU.EDU)
> returned 0 (Success)
> Jul 13 15:35:33 rufus1 sshd[15636]: pam_krb5[15636]: got result 0
> (Success)
> Jul 13 15:35:33 rufus1 sshd[15636]: pam_krb5[15636]: obtaining v4-
> compatible key
> Jul 13 15:35:33 rufus1 sshd[15636]: pam_krb5[15636]: obtained des-
> cbc-crc v5 creds
> Jul 13 15:35:33 rufus1 sshd[15636]: pam_krb5[15636]: converting v5
> creds to v4 creds (etype = 1)
> Jul 13 15:35:33 rufus1 sshd[15636]: pam_krb5[15636]: conversion
> succeeded
> Jul 13 15:35:33 rufus1 sshd[15636]: pam_krb5[15636]: authentication
> succeeds for 'seiffert' (seiffert@RFSTEST.IU.EDU)
> Jul 13 15:35:33 rufus1 sshd[15636]: pam_krb5[15636]:
> pam_authenticate returning 0 (Success)
> Jul 13 15:35:33 rufus1 sshd[15634]: Accepted keyboard-interactive/
> pam for seiffert from ::ffff:156.56.13.2 port 50368 ssh2
> Jul 13 15:35:33 rufus1 sshd(pam_unix)[15637]: session opened for
> user seiffert by (uid=0)
> Jul 13 15:35:33 rufus1 sshd[15637]: pam_krb5[15637]: configured
> realm 'RFSTEST.IU.EDU'
> Jul 13 15:35:33 rufus1 sshd[15637]: pam_krb5[15637]: flags: not
> forwardable
> Jul 13 15:35:33 rufus1 sshd[15637]: pam_krb5[15637]: flag: no
> ignore_afs
> Jul 13 15:35:33 rufus1 sshd[15637]: pam_krb5[15637]: flag: user_check
> Jul 13 15:35:33 rufus1 sshd[15637]: pam_krb5[15637]: flag: no
> krb4_convert
> Jul 13 15:35:33 rufus1 sshd[15637]: pam_krb5[15637]: flag: warn
> Jul 13 15:35:33 rufus1 sshd[15637]: pam_krb5[15637]: ticket
> lifetime: 36000
> Jul 13 15:35:33 rufus1 sshd[15637]: pam_krb5[15637]: renewable
> lifetime: 36000
> Jul 13 15:35:33 rufus1 sshd[15637]: pam_krb5[15637]: banner:
> Kerberos 5
> Jul 13 15:35:33 rufus1 sshd[15637]: pam_krb5[15637]: ccache dir: /tmp
> Jul 13 15:35:33 rufus1 sshd[15637]: pam_krb5[15637]: keytab: /etc/
> krb5.keytab
> Jul 13 15:35:33 rufus1 sshd[15637]: pam_krb5[15637]: no v5 creds
> for user 'seiffert', skipping session setup
> Jul 13 15:35:33 rufus1 sshd[15637]: pam_krb5[15637]:
> pam_open_session returning 0 (Success)
Any ideas on what is wrong or what else I can do to debug this?
Thanks.
-KAS
Kurt A. Seiffert | seiffert@indiana.edu
UITS Distributed Storage Services Group | C: 812-345-1892
Indiana University, Bloomington | W: 1 812-855-5089
--Apple-Mail-3--901261807
Content-Transfer-Encoding: quoted-printable
Content-Type: text/html;
charset=ISO-8859-1
<HTML><BODY style=3D"word-wrap: break-word; -khtml-nbsp-mode: space; =
-khtml-line-break: after-white-space; ">I'm trying to use pam_krb5 with =
a RHEL AS v4 system. I am successfully authenticated and get logged in, =
but I do not get AFS tokens or even have K5 tickets in the cache. It's =
like the module is successfully authenticating against the KDC, but is =
unable to store the K5 tickets. I'm logging in through ssh. I can kinit =
and aklog to get tokens.=A0<DIV><BR =
class=3D"khtml-block-placeholder"></DIV><DIV>If I kinit and do not =
destroy the cache on logout, then I can login again and the cache is =
untouched. I put a line in my /etc/profile.d/krb.sh file to run aklog =
and that works fine if the previous login left tickets in the =
cache.<DIV><BR class=3D"khtml-block-placeholder"></DIV><DIV>If I use the =
same configuration on a RHEL WS v3 system it works perfectly. All my =
tickets are in the cache correctly and I get my tokens to AFS, without =
the use of aklog.</DIV><DIV><BR =
class=3D"khtml-block-placeholder"></DIV><DIV>Here is my ssh and =
system-auth pam configuration files:</DIV><BLOCKQUOTE =
type=3D"cite"><DIV>#%PAM-1.0</DIV><DIV># This file is =
auto-generated.</DIV><DIV># User changes will be destroyed the next time =
authconfig is run.</DIV><DIV>auth=A0 =A0 =A0 =A0 required=A0 =A0 =A0 =
/lib/security/$ISA/pam_env.so</DIV><DIV>auth=A0 =A0 =A0 =A0 sufficient=A0 =
=A0 /lib/security/$ISA/pam_unix.so likeauth nullok</DIV><DIV>auth=A0 =A0 =
=A0 =A0 sufficient=A0 =A0 /lib/security/$ISA/pam_krb5afs.so =
use_first_pass tokens</DIV><DIV>auth=A0 =A0 =A0 =A0 required=A0 =A0 =A0 =
/lib/security/$ISA/pam_deny.so</DIV><DIV><BR =
class=3D"khtml-block-placeholder"></DIV><DIV>account=A0 =A0=A0 required=A0=
=A0 =A0 /lib/security/$ISA/pam_unix.so broken_shadow</DIV><DIV>account=A0=
=A0=A0 sufficient=A0 =A0 =
/lib/security/$ISA/pam_localuser.so</DIV><DIV>account=A0 =A0=A0 =
sufficient=A0 =A0 /lib/security/$ISA/pam_succeed_if.so uid < 100 =
quiet</DIV><DIV>account=A0 =A0=A0 [default=3Dbad success=3Dok =
user_unknown=3Dignore] =
/lib/security/$ISA/pam_krb5afs.so</DIV><DIV>account=A0 =A0=A0 required=A0 =
=A0 =A0 /lib/security/$ISA/pam_permit.so</DIV><DIV><BR =
class=3D"khtml-block-placeholder"></DIV><DIV>password=A0 =A0 requisite=A0 =
=A0=A0 /lib/security/$ISA/pam_cracklib.so retry=3D3</DIV><DIV>password=A0 =
=A0 sufficient=A0 =A0 /lib/security/$ISA/pam_unix.so nullok use_authtok =
md5 shadow</DIV><DIV>password=A0 =A0 sufficient=A0 =A0 =
/lib/security/$ISA/pam_krb5afs.so use_authtok</DIV><DIV>password=A0 =A0 =
required=A0 =A0 =A0 /lib/security/$ISA/pam_deny.so</DIV><DIV><BR =
class=3D"khtml-block-placeholder"></DIV><DIV>session=A0 =A0=A0 required=A0=
=A0 =A0 /lib/security/$ISA/pam_limits.so</DIV><DIV>session=A0 =A0=A0 =
required=A0 =A0 =A0 /lib/security/$ISA/pam_unix.so</DIV><DIV>session=A0 =
=A0=A0 optional=A0 =A0 =A0 =
/lib/security/$ISA/pam_krb5afs.so</DIV></BLOCKQUOTE><DIV><BR =
class=3D"khtml-block-placeholder"></DIV><BLOCKQUOTE =
type=3D"cite"><DIV>#%PAM-1.0</DIV><DIV>auth=A0 =A0 =A0=A0 required=A0 =A0=A0=
pam_stack.so service=3Dsystem-auth</DIV><DIV>auth=A0 =A0 =A0=A0 =
required=A0 =A0=A0 pam_nologin.so</DIV><DIV>account=A0 =A0 required=A0 =
=A0=A0 pam_stack.so service=3Dsystem-auth</DIV><DIV>password=A0=A0 =
required=A0 =A0=A0 pam_stack.so service=3Dsystem-auth</DIV><DIV>session=A0=
=A0 required=A0 =A0=A0 pam_stack.so =
service=3Dsystem-auth</DIV></BLOCKQUOTE><DIV><BR =
class=3D"khtml-block-placeholder"></DIV><DIV>Here is the /etc/krb5.conf =
PAM section:</DIV><BLOCKQUOTE type=3D"cite"><DIV>[appdefaults]</DIV><DIV> =
pam =3D {</DIV><DIV>=A0=A0 debug =3D true</DIV><DIV>=A0=A0 =
ticket_lifetime =3D 36000</DIV><DIV>=A0=A0 renew_lifetime =3D =
36000</DIV><DIV>=A0=A0 forwardable =3D false</DIV><DIV>=A0=A0 =
krb4_convert =3D false</DIV><DIV> }</DIV></BLOCKQUOTE><DIV><BR =
class=3D"khtml-block-placeholder"></DIV><DIV><BR =
class=3D"khtml-block-placeholder"></DIV><DIV>Here is the debug output =
from pam_krb5:</DIV><BLOCKQUOTE type=3D"cite"><DIV>Jul 13 15:35:33 =
rufus1 sshd(pam_unix)[15636]: authentication failure; logname=3D uid=3D0 =
euid=3D0 tty=3Dssh ruser=3D rhost=3Dintrigue.ucs.indiana.edu=A0 =
user=3Dseiffert</DIV><DIV>Jul 13 15:35:33 rufus1 sshd[15636]: =
pam_krb5[15636]: configured realm 'RFSTEST.IU.EDU'</DIV><DIV>Jul 13 =
15:35:33 rufus1 sshd[15636]: pam_krb5[15636]: flags: not =
forwardable</DIV><DIV>Jul 13 15:35:33 rufus1 sshd[15636]: =
pam_krb5[15636]: flag: no ignore_afs</DIV><DIV>Jul 13 15:35:33 rufus1 =
sshd[15636]: pam_krb5[15636]: flag: tokens</DIV><DIV>Jul 13 15:35:33 =
rufus1 sshd[15636]: pam_krb5[15636]: flag: user_check</DIV><DIV>Jul 13 =
15:35:33 rufus1 sshd[15636]: pam_krb5[15636]: flag: no =
krb4_convert</DIV><DIV>Jul 13 15:35:33 rufus1 sshd[15636]: =
pam_krb5[15636]: flag: warn</DIV><DIV>Jul 13 15:35:33 rufus1 =
sshd[15636]: pam_krb5[15636]: ticket lifetime: 36000</DIV><DIV>Jul 13 =
15:35:33 rufus1 sshd[15636]: pam_krb5[15636]: renewable lifetime: =
36000</DIV><DIV>Jul 13 15:35:33 rufus1 sshd[15636]: pam_krb5[15636]: =
banner: Kerberos 5</DIV><DIV>Jul 13 15:35:33 rufus1 sshd[15636]: =
pam_krb5[15636]: ccache dir: /tmp</DIV><DIV>Jul 13 15:35:33 rufus1 =
sshd[15636]: pam_krb5[15636]: keytab: /etc/krb5.keytab</DIV><DIV>Jul 13 =
15:35:33 rufus1 sshd[15636]: pam_krb5[15636]: called to authenticate =
'seiffert'</DIV><DIV>Jul 13 15:35:33 rufus1 sshd[15636]: =
pam_krb5[15636]: authenticating '<A =
href=3D"mailto:seiffert@RFSTEST.IU.EDU">seiffert@RFSTEST.IU.EDU</A>'</DIV>=
<DIV>Jul 13 15:35:33 rufus1 sshd[15636]: pam_krb5[15636]: trying =
previously-entered password for 'seiffert'</DIV><DIV>Jul 13 15:35:33 =
rufus1 sshd[15636]: pam_krb5[15636]: authenticating '<A =
href=3D"mailto:seiffert@RFSTEST.IU.EDU">seiffert@RFSTEST.IU.EDU</A>' to =
'krbtgt/<A =
href=3D"mailto:RFSTEST.IU.EDU@RFSTEST.IU.EDU">RFSTEST.IU.EDU@RFSTEST.IU.ED=
U</A>'</DIV><DIV>Jul 13 15:35:33 rufus1 sshd[15636]: pam_krb5[15636]: =
krb5_get_init_creds_password(krbtgt/<A =
href=3D"mailto:RFSTEST.IU.EDU@RFSTEST.IU.EDU">RFSTEST.IU.EDU@RFSTEST.IU.ED=
U</A>) returned 0 (Success)</DIV><DIV>Jul 13 15:35:33 rufus1 =
sshd[15636]: pam_krb5[15636]: got result 0 (Success)</DIV><DIV>Jul 13 =
15:35:33 rufus1 sshd[15636]: pam_krb5[15636]: obtaining v4-compatible =
key</DIV><DIV>Jul 13 15:35:33 rufus1 sshd[15636]: pam_krb5[15636]: =
obtained des-cbc-crc v5 creds</DIV><DIV>Jul 13 15:35:33 rufus1 =
sshd[15636]: pam_krb5[15636]: converting v5 creds to v4 creds (etype =3D =
1)</DIV><DIV>Jul 13 15:35:33 rufus1 sshd[15636]: pam_krb5[15636]: =
conversion succeeded</DIV><DIV>Jul 13 15:35:33 rufus1 sshd[15636]: =
pam_krb5[15636]: authentication succeeds for 'seiffert' (<A =
href=3D"mailto:seiffert@RFSTEST.IU.EDU">seiffert@RFSTEST.IU.EDU</A>)</DIV>=
<DIV>Jul 13 15:35:33 rufus1 sshd[15636]: pam_krb5[15636]: =
pam_authenticate returning 0 (Success)</DIV><DIV>Jul 13 15:35:33 rufus1 =
sshd[15634]: Accepted keyboard-interactive/pam for seiffert from =
::ffff:156.56.13.2 port 50368 ssh2</DIV><DIV>Jul 13 15:35:33 rufus1 =
sshd(pam_unix)[15637]: session opened for user seiffert by =
(uid=3D0)</DIV><DIV>Jul 13 15:35:33 rufus1 sshd[15637]: pam_krb5[15637]: =
configured realm 'RFSTEST.IU.EDU'</DIV><DIV>Jul 13 15:35:33 rufus1 =
sshd[15637]: pam_krb5[15637]: flags: not forwardable</DIV><DIV>Jul 13 =
15:35:33 rufus1 sshd[15637]: pam_krb5[15637]: flag: no =
ignore_afs</DIV><DIV>Jul 13 15:35:33 rufus1 sshd[15637]: =
pam_krb5[15637]: flag: user_check</DIV><DIV>Jul 13 15:35:33 rufus1 =
sshd[15637]: pam_krb5[15637]: flag: no krb4_convert</DIV><DIV>Jul 13 =
15:35:33 rufus1 sshd[15637]: pam_krb5[15637]: flag: warn</DIV><DIV>Jul =
13 15:35:33 rufus1 sshd[15637]: pam_krb5[15637]: ticket lifetime: =
36000</DIV><DIV>Jul 13 15:35:33 rufus1 sshd[15637]: pam_krb5[15637]: =
renewable lifetime: 36000</DIV><DIV>Jul 13 15:35:33 rufus1 sshd[15637]: =
pam_krb5[15637]: banner: Kerberos 5</DIV><DIV>Jul 13 15:35:33 rufus1 =
sshd[15637]: pam_krb5[15637]: ccache dir: /tmp</DIV><DIV>Jul 13 15:35:33 =
rufus1 sshd[15637]: pam_krb5[15637]: keytab: =
/etc/krb5.keytab</DIV><DIV>Jul 13 15:35:33 rufus1 sshd[15637]: =
pam_krb5[15637]: no v5 creds for user 'seiffert', skipping session =
setup</DIV><DIV>Jul 13 15:35:33 rufus1 sshd[15637]: pam_krb5[15637]: =
pam_open_session returning 0 (Success)</DIV></BLOCKQUOTE><DIV><BR =
class=3D"khtml-block-placeholder"></DIV><DIV>Any ideas on what is wrong =
or what else I can do to debug this?</DIV><DIV><BR =
class=3D"khtml-block-placeholder"></DIV><DIV>Thanks.</DIV><DIV><BR =
class=3D"khtml-block-placeholder"></DIV><DIV>-KAS<BR><DIV> <P =
style=3D"margin: 0.0px 0.0px 0.0px 0.0px; font: 12.0px Helvetica; =
min-height: 14.0px"><BR></P> <P style=3D"margin: 0.0px 0.0px 0.0px =
0.0px"><FONT face=3D"Helvetica" size=3D"3" style=3D"font: 12.0px =
Helvetica">Kurt A. Seiffert<SPAN class=3D"Apple-converted-space">=A0 =A0 =
=A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 </SPAN>| <A =
href=3D"mailto:seiffert@indiana.edu">seiffert@indiana.edu</A></FONT></P> =
<P style=3D"margin: 0.0px 0.0px 0.0px 0.0px"><FONT face=3D"Helvetica" =
size=3D"3" style=3D"font: 12.0px Helvetica">UITS Distributed Storage =
Services Group | C: 812-345-1892</FONT></P> <P style=3D"margin: 0.0px =
0.0px 0.0px 0.0px"><FONT face=3D"Helvetica" size=3D"3" style=3D"font: =
12.0px Helvetica">Indiana University, Bloomington <SPAN =
class=3D"Apple-converted-space">=A0 =A0 =A0 =A0 </SPAN>| W: 1 =
812-855-5089<SPAN class=3D"Apple-converted-space">=A0 =A0 =
=A0</SPAN></FONT></P> </DIV><BR></DIV></DIV></BODY></HTML>=
--Apple-Mail-3--901261807--