[OpenAFS] trouble with pam_krb5

Kurt Seiffert seiffert@indiana.edu
Fri, 15 Jul 2005 10:54:42 -0500 

--Apple-Mail-20--745722145
Content-Transfer-Encoding: 7bit
Content-Type: text/plain;
	charset=US-ASCII;
	delsp=yes;
	format=flowed

The only think I did for the sshd was to turn off PubKey  
authentication and turn on PAM authentication.

I'm not familiar with SELinux, but the only thing that I can think of  
is that I'm not running a local firewall, but instead using the  
network firewall.

It is clearly authenticating against Kerberos correctly. I have a  
different password for my test KDC from my prod KDC. Those are both  
different from the password in the local passwd file. So I can tell  
clearly which authority is accepting the credentials.

However, the krb5 tickets are not in the cache. They don't show up  
with klist once I'm logged in. Nor is the cache directory in /tmp  
where it should be.

Thanks though.

-KAS

Kurt A. Seiffert                        | seiffert@indiana.edu
UITS Distributed Storage Services Group | C: 812-345-1892
Indiana University, Bloomington         | W: 1 812-855-5089

On Jul 14, 2005, at 1:22 PM, Christopher Allen Wing wrote:

> Kurt:
>
> The RHEL4 version of pam_krb5 is known to be broken in some AFS  
> environments (won't get tokens). It should get krb5 tickets,  
> though, if everything is configured properly.
>
>
> Do you have a standard /etc/ssh/sshd_config file, or has this been  
> customized?
>
> Are you using SELinux in the normal configuration?
>
>
>
> I have a set of fixed pam_krb5 RPMS here:
>
>     http://www-personal.engin.umich.edu/~wingc/openafs/dist/1.3.85/
>
>
>
> but those should only fix AFS issues; not getting the ticket at all  
> sounds like a different problem.
>
>
>
> -Chris Wing
> wingc@engin.umich.edu
>


--Apple-Mail-20--745722145
Content-Transfer-Encoding: quoted-printable
Content-Type: text/html;
	charset=ISO-8859-1

<HTML><BODY style=3D"word-wrap: break-word; -khtml-nbsp-mode: space; =
-khtml-line-break: after-white-space; ">The only think I did for the =
sshd was to turn off PubKey authentication and turn on PAM =
authentication.<DIV><BR class=3D"khtml-block-placeholder"></DIV><DIV>I'm =
not familiar with SELinux, but the only thing that I can think of is =
that I'm not running a local firewall, but instead using the network =
firewall.=A0</DIV><DIV><BR class=3D"khtml-block-placeholder"></DIV><DIV>It=
 is clearly authenticating against Kerberos correctly. I have a =
different password for my test KDC from my prod KDC. Those are both =
different from the password in the local passwd file. So I can tell =
clearly which authority is accepting the credentials.</DIV><DIV><BR =
class=3D"khtml-block-placeholder"></DIV><DIV>However, the krb5 tickets =
are not in the cache. They don't show up with klist once I'm logged in. =
Nor is the cache directory in /tmp where it should be.</DIV><DIV><BR =
class=3D"khtml-block-placeholder"></DIV><DIV>Thanks =
though.</DIV><DIV><BR =
class=3D"khtml-block-placeholder"></DIV><DIV>-KAS<BR><DIV> <P =
style=3D"margin: 0.0px 0.0px 0.0px 0.0px; font: 12.0px Helvetica; =
min-height: 14.0px"><BR></P> <P style=3D"margin: 0.0px 0.0px 0.0px =
0.0px"><FONT face=3D"Helvetica" size=3D"3" style=3D"font: 12.0px =
Helvetica">Kurt A. Seiffert<SPAN class=3D"Apple-converted-space">=A0 =A0 =
=A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 </SPAN>| <A =
href=3D"mailto:seiffert@indiana.edu">seiffert@indiana.edu</A></FONT></P> =
<P style=3D"margin: 0.0px 0.0px 0.0px 0.0px"><FONT face=3D"Helvetica" =
size=3D"3" style=3D"font: 12.0px Helvetica">UITS Distributed Storage =
Services Group | C: 812-345-1892</FONT></P> <P style=3D"margin: 0.0px =
0.0px 0.0px 0.0px"><FONT face=3D"Helvetica" size=3D"3" style=3D"font: =
12.0px Helvetica">Indiana University, Bloomington <SPAN =
class=3D"Apple-converted-space">=A0 =A0 =A0 =A0 </SPAN>| W: 1 =
812-855-5089<SPAN class=3D"Apple-converted-space">=A0 =A0 =
=A0</SPAN></FONT></P>  </DIV><BR><DIV><DIV>On Jul 14, 2005, at 1:22 PM, =
Christopher Allen Wing wrote:</DIV><BR =
class=3D"Apple-interchange-newline"><BLOCKQUOTE type=3D"cite"><DIV =
style=3D"margin-top: 0px; margin-right: 0px; margin-bottom: 0px; =
margin-left: 0px; ">Kurt:</DIV><DIV style=3D"margin-top: 0px; =
margin-right: 0px; margin-bottom: 0px; margin-left: 0px; min-height: =
14px; "><BR></DIV><DIV style=3D"margin-top: 0px; margin-right: 0px; =
margin-bottom: 0px; margin-left: 0px; ">The RHEL4 version of pam_krb5 is =
known to be broken in some AFS environments (won't get tokens). It =
should get krb5 tickets, though, if everything is configured =
properly.</DIV><DIV style=3D"margin-top: 0px; margin-right: 0px; =
margin-bottom: 0px; margin-left: 0px; min-height: 14px; "><BR></DIV><DIV =
style=3D"margin-top: 0px; margin-right: 0px; margin-bottom: 0px; =
margin-left: 0px; min-height: 14px; "><BR></DIV><DIV style=3D"margin-top: =
0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; ">Do you =
have a standard /etc/ssh/sshd_config file, or has this been =
customized?</DIV><DIV style=3D"margin-top: 0px; margin-right: 0px; =
margin-bottom: 0px; margin-left: 0px; min-height: 14px; "><BR></DIV><DIV =
style=3D"margin-top: 0px; margin-right: 0px; margin-bottom: 0px; =
margin-left: 0px; ">Are you using SELinux in the normal =
configuration?</DIV><DIV style=3D"margin-top: 0px; margin-right: 0px; =
margin-bottom: 0px; margin-left: 0px; min-height: 14px; "><BR></DIV><DIV =
style=3D"margin-top: 0px; margin-right: 0px; margin-bottom: 0px; =
margin-left: 0px; min-height: 14px; "><BR></DIV><DIV style=3D"margin-top: =
0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; =
min-height: 14px; "><BR></DIV><DIV style=3D"margin-top: 0px; =
margin-right: 0px; margin-bottom: 0px; margin-left: 0px; ">I have a set =
of fixed pam_krb5 RPMS here:</DIV><DIV style=3D"margin-top: 0px; =
margin-right: 0px; margin-bottom: 0px; margin-left: 0px; min-height: =
14px; "><BR></DIV><DIV style=3D"margin-top: 0px; margin-right: 0px; =
margin-bottom: 0px; margin-left: 0px; "><SPAN =
class=3D"Apple-converted-space"><SPAN class=3D"Apple-converted-tab">=A0 =
=A0 </SPAN></SPAN><A =
href=3D"http://www-personal.engin.umich.edu/~wingc/openafs/dist/1.3.85/">h=
ttp://www-personal.engin.umich.edu/~wingc/openafs/dist/1.3.85/</A></DIV><D=
IV style=3D"margin-top: 0px; margin-right: 0px; margin-bottom: 0px; =
margin-left: 0px; min-height: 14px; "><BR></DIV><DIV style=3D"margin-top: =
0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; =
min-height: 14px; "><BR></DIV><DIV style=3D"margin-top: 0px; =
margin-right: 0px; margin-bottom: 0px; margin-left: 0px; min-height: =
14px; "><BR></DIV><DIV style=3D"margin-top: 0px; margin-right: 0px; =
margin-bottom: 0px; margin-left: 0px; ">but those should only fix AFS =
issues; not getting the ticket at all sounds like a different =
problem.</DIV><DIV style=3D"margin-top: 0px; margin-right: 0px; =
margin-bottom: 0px; margin-left: 0px; min-height: 14px; "><BR></DIV><DIV =
style=3D"margin-top: 0px; margin-right: 0px; margin-bottom: 0px; =
margin-left: 0px; min-height: 14px; "><BR></DIV><DIV style=3D"margin-top: =
0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; =
min-height: 14px; "><BR></DIV><DIV style=3D"margin-top: 0px; =
margin-right: 0px; margin-bottom: 0px; margin-left: 0px; ">-Chris =
Wing</DIV><DIV style=3D"margin-top: 0px; margin-right: 0px; =
margin-bottom: 0px; margin-left: 0px; "><A =
href=3D"mailto:wingc@engin.umich.edu">wingc@engin.umich.edu</A></DIV> =
<BR =
class=3D"Apple-interchange-newline"></BLOCKQUOTE></DIV><BR></DIV></BODY></=
HTML>=

--Apple-Mail-20--745722145--