[OpenAFS] trouble with pam_krb5

Kurt Seiffert seiffert@indiana.edu
Wed, 13 Jul 2005 15:42:22 -0500 

--Apple-Mail-3--901261807
Content-Transfer-Encoding: 7bit
Content-Type: text/plain;
	charset=US-ASCII;
	delsp=yes;
	format=flowed

I'm trying to use pam_krb5 with a RHEL AS v4 system. I am  
successfully authenticated and get logged in, but I do not get AFS  
tokens or even have K5 tickets in the cache. It's like the module is  
successfully authenticating against the KDC, but is unable to store  
the K5 tickets. I'm logging in through ssh. I can kinit and aklog to  
get tokens.

If I kinit and do not destroy the cache on logout, then I can login  
again and the cache is untouched. I put a line in my /etc/profile.d/ 
krb.sh file to run aklog and that works fine if the previous login  
left tickets in the cache.

If I use the same configuration on a RHEL WS v3 system it works  
perfectly. All my tickets are in the cache correctly and I get my  
tokens to AFS, without the use of aklog.

Here is my ssh and system-auth pam configuration files:
> #%PAM-1.0
> # This file is auto-generated.
> # User changes will be destroyed the next time authconfig is run.
> auth        required      /lib/security/$ISA/pam_env.so
> auth        sufficient    /lib/security/$ISA/pam_unix.so likeauth  
> nullok
> auth        sufficient    /lib/security/$ISA/pam_krb5afs.so  
> use_first_pass tokens
> auth        required      /lib/security/$ISA/pam_deny.so
>
> account     required      /lib/security/$ISA/pam_unix.so broken_shadow
> account     sufficient    /lib/security/$ISA/pam_localuser.so
> account     sufficient    /lib/security/$ISA/pam_succeed_if.so uid  
> < 100 quiet
> account     [default=bad success=ok user_unknown=ignore] /lib/ 
> security/$ISA/pam_krb5afs.so
> account     required      /lib/security/$ISA/pam_permit.so
>
> password    requisite     /lib/security/$ISA/pam_cracklib.so retry=3
> password    sufficient    /lib/security/$ISA/pam_unix.so nullok  
> use_authtok md5 shadow
> password    sufficient    /lib/security/$ISA/pam_krb5afs.so  
> use_authtok
> password    required      /lib/security/$ISA/pam_deny.so
>
> session     required      /lib/security/$ISA/pam_limits.so
> session     required      /lib/security/$ISA/pam_unix.so
> session     optional      /lib/security/$ISA/pam_krb5afs.so

> #%PAM-1.0
> auth       required     pam_stack.so service=system-auth
> auth       required     pam_nologin.so
> account    required     pam_stack.so service=system-auth
> password   required     pam_stack.so service=system-auth
> session    required     pam_stack.so service=system-auth

Here is the /etc/krb5.conf PAM section:
> [appdefaults]
> pam = {
>    debug = true
>    ticket_lifetime = 36000
>    renew_lifetime = 36000
>    forwardable = false
>    krb4_convert = false
> }


Here is the debug output from pam_krb5:
> Jul 13 15:35:33 rufus1 sshd(pam_unix)[15636]: authentication  
> failure; logname= uid=0 euid=0 tty=ssh ruser=  
> rhost=intrigue.ucs.indiana.edu  user=seiffert
> Jul 13 15:35:33 rufus1 sshd[15636]: pam_krb5[15636]: configured  
> realm 'RFSTEST.IU.EDU'
> Jul 13 15:35:33 rufus1 sshd[15636]: pam_krb5[15636]: flags: not  
> forwardable
> Jul 13 15:35:33 rufus1 sshd[15636]: pam_krb5[15636]: flag: no  
> ignore_afs
> Jul 13 15:35:33 rufus1 sshd[15636]: pam_krb5[15636]: flag: tokens
> Jul 13 15:35:33 rufus1 sshd[15636]: pam_krb5[15636]: flag: user_check
> Jul 13 15:35:33 rufus1 sshd[15636]: pam_krb5[15636]: flag: no  
> krb4_convert
> Jul 13 15:35:33 rufus1 sshd[15636]: pam_krb5[15636]: flag: warn
> Jul 13 15:35:33 rufus1 sshd[15636]: pam_krb5[15636]: ticket  
> lifetime: 36000
> Jul 13 15:35:33 rufus1 sshd[15636]: pam_krb5[15636]: renewable  
> lifetime: 36000
> Jul 13 15:35:33 rufus1 sshd[15636]: pam_krb5[15636]: banner:  
> Kerberos 5
> Jul 13 15:35:33 rufus1 sshd[15636]: pam_krb5[15636]: ccache dir: /tmp
> Jul 13 15:35:33 rufus1 sshd[15636]: pam_krb5[15636]: keytab: /etc/ 
> krb5.keytab
> Jul 13 15:35:33 rufus1 sshd[15636]: pam_krb5[15636]: called to  
> authenticate 'seiffert'
> Jul 13 15:35:33 rufus1 sshd[15636]: pam_krb5[15636]: authenticating  
> 'seiffert@RFSTEST.IU.EDU'
> Jul 13 15:35:33 rufus1 sshd[15636]: pam_krb5[15636]: trying  
> previously-entered password for 'seiffert'
> Jul 13 15:35:33 rufus1 sshd[15636]: pam_krb5[15636]: authenticating  
> 'seiffert@RFSTEST.IU.EDU' to 'krbtgt/RFSTEST.IU.EDU@RFSTEST.IU.EDU'
> Jul 13 15:35:33 rufus1 sshd[15636]: pam_krb5[15636]:  
> krb5_get_init_creds_password(krbtgt/RFSTEST.IU.EDU@RFSTEST.IU.EDU)  
> returned 0 (Success)
> Jul 13 15:35:33 rufus1 sshd[15636]: pam_krb5[15636]: got result 0  
> (Success)
> Jul 13 15:35:33 rufus1 sshd[15636]: pam_krb5[15636]: obtaining v4- 
> compatible key
> Jul 13 15:35:33 rufus1 sshd[15636]: pam_krb5[15636]: obtained des- 
> cbc-crc v5 creds
> Jul 13 15:35:33 rufus1 sshd[15636]: pam_krb5[15636]: converting v5  
> creds to v4 creds (etype = 1)
> Jul 13 15:35:33 rufus1 sshd[15636]: pam_krb5[15636]: conversion  
> succeeded
> Jul 13 15:35:33 rufus1 sshd[15636]: pam_krb5[15636]: authentication  
> succeeds for 'seiffert' (seiffert@RFSTEST.IU.EDU)
> Jul 13 15:35:33 rufus1 sshd[15636]: pam_krb5[15636]:  
> pam_authenticate returning 0 (Success)
> Jul 13 15:35:33 rufus1 sshd[15634]: Accepted keyboard-interactive/ 
> pam for seiffert from ::ffff:156.56.13.2 port 50368 ssh2
> Jul 13 15:35:33 rufus1 sshd(pam_unix)[15637]: session opened for  
> user seiffert by (uid=0)
> Jul 13 15:35:33 rufus1 sshd[15637]: pam_krb5[15637]: configured  
> realm 'RFSTEST.IU.EDU'
> Jul 13 15:35:33 rufus1 sshd[15637]: pam_krb5[15637]: flags: not  
> forwardable
> Jul 13 15:35:33 rufus1 sshd[15637]: pam_krb5[15637]: flag: no  
> ignore_afs
> Jul 13 15:35:33 rufus1 sshd[15637]: pam_krb5[15637]: flag: user_check
> Jul 13 15:35:33 rufus1 sshd[15637]: pam_krb5[15637]: flag: no  
> krb4_convert
> Jul 13 15:35:33 rufus1 sshd[15637]: pam_krb5[15637]: flag: warn
> Jul 13 15:35:33 rufus1 sshd[15637]: pam_krb5[15637]: ticket  
> lifetime: 36000
> Jul 13 15:35:33 rufus1 sshd[15637]: pam_krb5[15637]: renewable  
> lifetime: 36000
> Jul 13 15:35:33 rufus1 sshd[15637]: pam_krb5[15637]: banner:  
> Kerberos 5
> Jul 13 15:35:33 rufus1 sshd[15637]: pam_krb5[15637]: ccache dir: /tmp
> Jul 13 15:35:33 rufus1 sshd[15637]: pam_krb5[15637]: keytab: /etc/ 
> krb5.keytab
> Jul 13 15:35:33 rufus1 sshd[15637]: pam_krb5[15637]: no v5 creds  
> for user 'seiffert', skipping session setup
> Jul 13 15:35:33 rufus1 sshd[15637]: pam_krb5[15637]:  
> pam_open_session returning 0 (Success)

Any ideas on what is wrong or what else I can do to debug this?

Thanks.

-KAS

Kurt A. Seiffert                        | seiffert@indiana.edu
UITS Distributed Storage Services Group | C: 812-345-1892
Indiana University, Bloomington         | W: 1 812-855-5089


--Apple-Mail-3--901261807
Content-Transfer-Encoding: quoted-printable
Content-Type: text/html;
	charset=ISO-8859-1

<HTML><BODY style=3D"word-wrap: break-word; -khtml-nbsp-mode: space; =
-khtml-line-break: after-white-space; ">I'm trying to use pam_krb5 with =
a RHEL AS v4 system. I am successfully authenticated and get logged in, =
but I do not get AFS tokens or even have K5 tickets in the cache. It's =
like the module is successfully authenticating against the KDC, but is =
unable to store the K5 tickets. I'm logging in through ssh. I can kinit =
and aklog to get tokens.=A0<DIV><BR =
class=3D"khtml-block-placeholder"></DIV><DIV>If I kinit and do not =
destroy the cache on logout, then I can login again and the cache is =
untouched. I put a line in my /etc/profile.d/krb.sh file to run aklog =
and that works fine if the previous login left tickets in the =
cache.<DIV><BR class=3D"khtml-block-placeholder"></DIV><DIV>If I use the =
same configuration on a RHEL WS v3 system it works perfectly. All my =
tickets are in the cache correctly and I get my tokens to AFS, without =
the use of aklog.</DIV><DIV><BR =
class=3D"khtml-block-placeholder"></DIV><DIV>Here is my ssh and =
system-auth pam configuration files:</DIV><BLOCKQUOTE =
type=3D"cite"><DIV>#%PAM-1.0</DIV><DIV># This file is =
auto-generated.</DIV><DIV># User changes will be destroyed the next time =
authconfig is run.</DIV><DIV>auth=A0 =A0 =A0 =A0 required=A0 =A0 =A0 =
/lib/security/$ISA/pam_env.so</DIV><DIV>auth=A0 =A0 =A0 =A0 sufficient=A0 =
=A0 /lib/security/$ISA/pam_unix.so likeauth nullok</DIV><DIV>auth=A0 =A0 =
=A0 =A0 sufficient=A0 =A0 /lib/security/$ISA/pam_krb5afs.so =
use_first_pass tokens</DIV><DIV>auth=A0 =A0 =A0 =A0 required=A0 =A0 =A0 =
/lib/security/$ISA/pam_deny.so</DIV><DIV><BR =
class=3D"khtml-block-placeholder"></DIV><DIV>account=A0 =A0=A0 required=A0=
 =A0 =A0 /lib/security/$ISA/pam_unix.so broken_shadow</DIV><DIV>account=A0=
 =A0=A0 sufficient=A0 =A0 =
/lib/security/$ISA/pam_localuser.so</DIV><DIV>account=A0 =A0=A0 =
sufficient=A0 =A0 /lib/security/$ISA/pam_succeed_if.so uid &lt; 100 =
quiet</DIV><DIV>account=A0 =A0=A0 [default=3Dbad success=3Dok =
user_unknown=3Dignore] =
/lib/security/$ISA/pam_krb5afs.so</DIV><DIV>account=A0 =A0=A0 required=A0 =
=A0 =A0 /lib/security/$ISA/pam_permit.so</DIV><DIV><BR =
class=3D"khtml-block-placeholder"></DIV><DIV>password=A0 =A0 requisite=A0 =
=A0=A0 /lib/security/$ISA/pam_cracklib.so retry=3D3</DIV><DIV>password=A0 =
=A0 sufficient=A0 =A0 /lib/security/$ISA/pam_unix.so nullok use_authtok =
md5 shadow</DIV><DIV>password=A0 =A0 sufficient=A0 =A0 =
/lib/security/$ISA/pam_krb5afs.so use_authtok</DIV><DIV>password=A0 =A0 =
required=A0 =A0 =A0 /lib/security/$ISA/pam_deny.so</DIV><DIV><BR =
class=3D"khtml-block-placeholder"></DIV><DIV>session=A0 =A0=A0 required=A0=
 =A0 =A0 /lib/security/$ISA/pam_limits.so</DIV><DIV>session=A0 =A0=A0 =
required=A0 =A0 =A0 /lib/security/$ISA/pam_unix.so</DIV><DIV>session=A0 =
=A0=A0 optional=A0 =A0 =A0 =
/lib/security/$ISA/pam_krb5afs.so</DIV></BLOCKQUOTE><DIV><BR =
class=3D"khtml-block-placeholder"></DIV><BLOCKQUOTE =
type=3D"cite"><DIV>#%PAM-1.0</DIV><DIV>auth=A0 =A0 =A0=A0 required=A0 =A0=A0=
 pam_stack.so service=3Dsystem-auth</DIV><DIV>auth=A0 =A0 =A0=A0 =
required=A0 =A0=A0 pam_nologin.so</DIV><DIV>account=A0 =A0 required=A0 =
=A0=A0 pam_stack.so service=3Dsystem-auth</DIV><DIV>password=A0=A0 =
required=A0 =A0=A0 pam_stack.so service=3Dsystem-auth</DIV><DIV>session=A0=
 =A0 required=A0 =A0=A0 pam_stack.so =
service=3Dsystem-auth</DIV></BLOCKQUOTE><DIV><BR =
class=3D"khtml-block-placeholder"></DIV><DIV>Here is the /etc/krb5.conf =
PAM section:</DIV><BLOCKQUOTE type=3D"cite"><DIV>[appdefaults]</DIV><DIV> =
pam =3D {</DIV><DIV>=A0=A0 debug =3D true</DIV><DIV>=A0=A0 =
ticket_lifetime =3D 36000</DIV><DIV>=A0=A0 renew_lifetime =3D =
36000</DIV><DIV>=A0=A0 forwardable =3D false</DIV><DIV>=A0=A0 =
krb4_convert =3D false</DIV><DIV> }</DIV></BLOCKQUOTE><DIV><BR =
class=3D"khtml-block-placeholder"></DIV><DIV><BR =
class=3D"khtml-block-placeholder"></DIV><DIV>Here is the debug output =
from pam_krb5:</DIV><BLOCKQUOTE type=3D"cite"><DIV>Jul 13 15:35:33 =
rufus1 sshd(pam_unix)[15636]: authentication failure; logname=3D uid=3D0 =
euid=3D0 tty=3Dssh ruser=3D rhost=3Dintrigue.ucs.indiana.edu=A0 =
user=3Dseiffert</DIV><DIV>Jul 13 15:35:33 rufus1 sshd[15636]: =
pam_krb5[15636]: configured realm 'RFSTEST.IU.EDU'</DIV><DIV>Jul 13 =
15:35:33 rufus1 sshd[15636]: pam_krb5[15636]: flags: not =
forwardable</DIV><DIV>Jul 13 15:35:33 rufus1 sshd[15636]: =
pam_krb5[15636]: flag: no ignore_afs</DIV><DIV>Jul 13 15:35:33 rufus1 =
sshd[15636]: pam_krb5[15636]: flag: tokens</DIV><DIV>Jul 13 15:35:33 =
rufus1 sshd[15636]: pam_krb5[15636]: flag: user_check</DIV><DIV>Jul 13 =
15:35:33 rufus1 sshd[15636]: pam_krb5[15636]: flag: no =
krb4_convert</DIV><DIV>Jul 13 15:35:33 rufus1 sshd[15636]: =
pam_krb5[15636]: flag: warn</DIV><DIV>Jul 13 15:35:33 rufus1 =
sshd[15636]: pam_krb5[15636]: ticket lifetime: 36000</DIV><DIV>Jul 13 =
15:35:33 rufus1 sshd[15636]: pam_krb5[15636]: renewable lifetime: =
36000</DIV><DIV>Jul 13 15:35:33 rufus1 sshd[15636]: pam_krb5[15636]: =
banner: Kerberos 5</DIV><DIV>Jul 13 15:35:33 rufus1 sshd[15636]: =
pam_krb5[15636]: ccache dir: /tmp</DIV><DIV>Jul 13 15:35:33 rufus1 =
sshd[15636]: pam_krb5[15636]: keytab: /etc/krb5.keytab</DIV><DIV>Jul 13 =
15:35:33 rufus1 sshd[15636]: pam_krb5[15636]: called to authenticate =
'seiffert'</DIV><DIV>Jul 13 15:35:33 rufus1 sshd[15636]: =
pam_krb5[15636]: authenticating '<A =
href=3D"mailto:seiffert@RFSTEST.IU.EDU">seiffert@RFSTEST.IU.EDU</A>'</DIV>=
<DIV>Jul 13 15:35:33 rufus1 sshd[15636]: pam_krb5[15636]: trying =
previously-entered password for 'seiffert'</DIV><DIV>Jul 13 15:35:33 =
rufus1 sshd[15636]: pam_krb5[15636]: authenticating '<A =
href=3D"mailto:seiffert@RFSTEST.IU.EDU">seiffert@RFSTEST.IU.EDU</A>' to =
'krbtgt/<A =
href=3D"mailto:RFSTEST.IU.EDU@RFSTEST.IU.EDU">RFSTEST.IU.EDU@RFSTEST.IU.ED=
U</A>'</DIV><DIV>Jul 13 15:35:33 rufus1 sshd[15636]: pam_krb5[15636]: =
krb5_get_init_creds_password(krbtgt/<A =
href=3D"mailto:RFSTEST.IU.EDU@RFSTEST.IU.EDU">RFSTEST.IU.EDU@RFSTEST.IU.ED=
U</A>) returned 0 (Success)</DIV><DIV>Jul 13 15:35:33 rufus1 =
sshd[15636]: pam_krb5[15636]: got result 0 (Success)</DIV><DIV>Jul 13 =
15:35:33 rufus1 sshd[15636]: pam_krb5[15636]: obtaining v4-compatible =
key</DIV><DIV>Jul 13 15:35:33 rufus1 sshd[15636]: pam_krb5[15636]: =
obtained des-cbc-crc v5 creds</DIV><DIV>Jul 13 15:35:33 rufus1 =
sshd[15636]: pam_krb5[15636]: converting v5 creds to v4 creds (etype =3D =
1)</DIV><DIV>Jul 13 15:35:33 rufus1 sshd[15636]: pam_krb5[15636]: =
conversion succeeded</DIV><DIV>Jul 13 15:35:33 rufus1 sshd[15636]: =
pam_krb5[15636]: authentication succeeds for 'seiffert' (<A =
href=3D"mailto:seiffert@RFSTEST.IU.EDU">seiffert@RFSTEST.IU.EDU</A>)</DIV>=
<DIV>Jul 13 15:35:33 rufus1 sshd[15636]: pam_krb5[15636]: =
pam_authenticate returning 0 (Success)</DIV><DIV>Jul 13 15:35:33 rufus1 =
sshd[15634]: Accepted keyboard-interactive/pam for seiffert from =
::ffff:156.56.13.2 port 50368 ssh2</DIV><DIV>Jul 13 15:35:33 rufus1 =
sshd(pam_unix)[15637]: session opened for user seiffert by =
(uid=3D0)</DIV><DIV>Jul 13 15:35:33 rufus1 sshd[15637]: pam_krb5[15637]: =
configured realm 'RFSTEST.IU.EDU'</DIV><DIV>Jul 13 15:35:33 rufus1 =
sshd[15637]: pam_krb5[15637]: flags: not forwardable</DIV><DIV>Jul 13 =
15:35:33 rufus1 sshd[15637]: pam_krb5[15637]: flag: no =
ignore_afs</DIV><DIV>Jul 13 15:35:33 rufus1 sshd[15637]: =
pam_krb5[15637]: flag: user_check</DIV><DIV>Jul 13 15:35:33 rufus1 =
sshd[15637]: pam_krb5[15637]: flag: no krb4_convert</DIV><DIV>Jul 13 =
15:35:33 rufus1 sshd[15637]: pam_krb5[15637]: flag: warn</DIV><DIV>Jul =
13 15:35:33 rufus1 sshd[15637]: pam_krb5[15637]: ticket lifetime: =
36000</DIV><DIV>Jul 13 15:35:33 rufus1 sshd[15637]: pam_krb5[15637]: =
renewable lifetime: 36000</DIV><DIV>Jul 13 15:35:33 rufus1 sshd[15637]: =
pam_krb5[15637]: banner: Kerberos 5</DIV><DIV>Jul 13 15:35:33 rufus1 =
sshd[15637]: pam_krb5[15637]: ccache dir: /tmp</DIV><DIV>Jul 13 15:35:33 =
rufus1 sshd[15637]: pam_krb5[15637]: keytab: =
/etc/krb5.keytab</DIV><DIV>Jul 13 15:35:33 rufus1 sshd[15637]: =
pam_krb5[15637]: no v5 creds for user 'seiffert', skipping session =
setup</DIV><DIV>Jul 13 15:35:33 rufus1 sshd[15637]: pam_krb5[15637]: =
pam_open_session returning 0 (Success)</DIV></BLOCKQUOTE><DIV><BR =
class=3D"khtml-block-placeholder"></DIV><DIV>Any ideas on what is wrong =
or what else I can do to debug this?</DIV><DIV><BR =
class=3D"khtml-block-placeholder"></DIV><DIV>Thanks.</DIV><DIV><BR =
class=3D"khtml-block-placeholder"></DIV><DIV>-KAS<BR><DIV> <P =
style=3D"margin: 0.0px 0.0px 0.0px 0.0px; font: 12.0px Helvetica; =
min-height: 14.0px"><BR></P> <P style=3D"margin: 0.0px 0.0px 0.0px =
0.0px"><FONT face=3D"Helvetica" size=3D"3" style=3D"font: 12.0px =
Helvetica">Kurt A. Seiffert<SPAN class=3D"Apple-converted-space">=A0 =A0 =
=A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 </SPAN>| <A =
href=3D"mailto:seiffert@indiana.edu">seiffert@indiana.edu</A></FONT></P> =
<P style=3D"margin: 0.0px 0.0px 0.0px 0.0px"><FONT face=3D"Helvetica" =
size=3D"3" style=3D"font: 12.0px Helvetica">UITS Distributed Storage =
Services Group | C: 812-345-1892</FONT></P> <P style=3D"margin: 0.0px =
0.0px 0.0px 0.0px"><FONT face=3D"Helvetica" size=3D"3" style=3D"font: =
12.0px Helvetica">Indiana University, Bloomington <SPAN =
class=3D"Apple-converted-space">=A0 =A0 =A0 =A0 </SPAN>| W: 1 =
812-855-5089<SPAN class=3D"Apple-converted-space">=A0 =A0 =
=A0</SPAN></FONT></P>  </DIV><BR></DIV></DIV></BODY></HTML>=

--Apple-Mail-3--901261807--