[OpenAFS] refresh initial tokens
Ronny Blomme
Ronny.Blomme+afsinfo@elis.ugent.be
Fri, 2 Feb 2007 14:16:27 +0100
--nextPart1387376.5Ih99hvroI
Content-Type: text/plain;
charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline
I am setting up openafs-1.4.2 client and server on FC4 with heimdal-0.7.2. =
I replaced the kas-server with kdc.
When I login to this server with ssh, I get tickets/tokens (via /etc/pam.d/=
sshd).
These initial tokens can be refreshed once with "kinit -R", but the new tic=
kets have no "Flag=3DR" and so these tokens cannot be refreshed:
# kinit -R
kinit: krb5_get_kdc_cred: KDC can't fulfill requested option
When I get renewable tokens with
# kinit --renewable
the "Flag=3DR" does not disapear, and I can "kinit -R" serveral times.
I think something is wrong with my pam-setup, but I have no idea...
# cat /etc/pam.d/sshd
auth required /lib/security/$ISA/pam_env.so
auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok
auth sufficient /lib/security/pam_krb5afs.so try_first_pass ignor=
e_root
auth required /lib/security/$ISA/pam_deny.so
account required pam_nologin.so
account required /lib/security/$ISA/pam_unix.so
account sufficient /lib/security/$ISA/pam_succeed_if.so uid < 100 qu=
iet
account sufficient /lib/security/$ISA/pam_krb5afs.so
account required /lib/security/$ISA/pam_permit.so
password requisite /lib/security/$ISA/pam_cracklib.so retry=3D3
password sufficient /lib/security/$ISA/pam_unix.so nullok use_authtok=
md5 shadow
password sufficient /lib/security/pam_krb5afs.so use_authtok
password required /lib/security/$ISA/pam_deny.so
session required /lib/security/$ISA/pam_limits.so
session required /lib/security/$ISA/pam_unix.so
session optional /lib/security/pam_krb5afs.so
session required pam_loginuid.so
# cat /etc/krb5.conf
[libdefaults]
default_realm =3D ELIS.UGENT.BE
[realms]
ELIS.UGENT.BE =3D {
kdc =3D kerberos.elis.ugent.be:88
admin_server =3D kerberos.elis.ugent.be:749
kpasswd_server =3D kerberos.elis.ugent.be
default_domain =3D elis.ugent.be
}
[domain_realm]
.elis.ugent.be =3D ELIS.UGENT.BE
elis.ugent.be =3D ELIS.UGENT.BE
[kdc]
enable-kaserver =3D yes
enable-524 =3D yes
afs-cell =3D elis.ugent.be
v4-realm =3D ELIS.UGENT.BE
use_2b =3D {
afs@ELIS.UGENT.BE =3D yes
afs/elis.ugent.be@ELIS.UGENT.BE =3D yes
}
[logging]
kdc =3D FILE:/var/log/heimdal-kdc.log
kdc =3D SYSLOG:INFO
[kadmin]
default_keys =3D des:afs3-salt:elis.ugent.be
afs-cell =3D elis.ugent.be
[appdefaults]
pam =3D {
ELIS.UGENT.BE =3D {
debug =3D true
tokens =3D yes
ticket_lifetime =3D 90000
renew_lifetime =3D 90000
forwardable =3D true
}
}
afs_krb5 =3D {
ELIS.UGENT.BE =3D {
afs =3D true
afs/elis.ugent.be =3D true
}
}
part of the /var/log/heimdal-kdc.log
>>>>>>>>>>> ssh logon
2007-02-01T18:34:31 AS-REQ rb2@ELIS.UGENT.BE from IPv4:157.193.204.1 for kr=
btgt/ELIS.UGENT.BE@ELIS.UGENT.BE
2007-02-01T18:34:31 Using des-cbc-crc/des-cbc-crc
2007-02-01T18:34:31 Requested flags: renewable, forwardable
2007-02-01T18:34:31 sending 552 bytes to IPv4:157.193.204.1
2007-02-01T18:34:31 524-REQ rb2@ELIS.UGENT.BE from IPv4:157.193.204.1 for k=
rbtgt/ELIS.UGENT.BE@ELIS.UGENT.BE
2007-02-01T18:34:31 sending 1266 bytes to IPv4:157.193.204.1
2007-02-01T18:34:31 TGS-REQ rb2@ELIS.UGENT.BE from IPv4:157.193.204.1 for a=
fs/elis.ugent.be@ELIS.UGENT.BE [renewable, forwardable]
2007-02-01T18:34:31 sending 516 bytes to IPv4:157.193.204.1
2007-02-01T18:34:31 524-REQ rb2@ELIS.UGENT.BE from IPv4:157.193.204.1 for a=
fs/elis.ugent.be@ELIS.UGENT.BE
2007-02-01T18:34:31 sending 1266 bytes to IPv4:157.193.204.1
>>>>>>>>>>> first kinit -R
2007-02-01T18:34:51 TGS-REQ rb2@ELIS.UGENT.BE from IPv4:157.193.204.1 for k=
rbtgt/ELIS.UGENT.BE@ELIS.UGENT.BE [renew, renewable]
2007-02-01T18:34:51 sending 527 bytes to IPv4:157.193.204.1
2007-02-01T18:34:51 TGS-REQ rb2@ELIS.UGENT.BE from IPv4:157.193.204.1 for a=
fs@ELIS.UGENT.BE
2007-02-01T18:34:51 sending 493 bytes to IPv4:157.193.204.1
2007-02-01T18:34:51 524-REQ rb2@ELIS.UGENT.BE from IPv4:157.193.204.1 for a=
fs@ELIS.UGENT.BE
2007-02-01T18:34:51 sending 1266 bytes to IPv4:157.193.204.1
>>>>>>>>>>> second kinit -R
2007-02-01T18:34:52 TGS-REQ rb2@ELIS.UGENT.BE from IPv4:157.193.204.1 for k=
rbtgt/ELIS.UGENT.BE@ELIS.UGENT.BE [renew, renewable]
2007-02-01T18:34:52 Bad request for renewable ticket
2007-02-01T18:34:52 sending 135 bytes to IPv4:157.193.204.1
# rpm -qa | grep openafs
openafs-client-1.4.2-fc4.1
openafs-docs-1.4.2-fc4.1
openafs-devel-1.4.2-fc4.1
openafs-1.4.2-fc4.1
openafs-compat-1.4.2-fc4.1
openafs-kernel-smp-1.4.2-2.6.13_1.1532_FC4smp_1
openafs-krb5-1.4.2-fc4.1
openafs-server-1.4.2-fc4.1
openafs-authlibs-1.4.2-fc4.1
# rpm -qa | grep krb5
krb5-workstation-1.4.1-5
openafs-krb5-1.4.2-fc4.1
krb5-libs-1.4.1-5
pam_krb5-2.1.15-2
=2D-=20
Ronny Blomme - Ronny.Blomme@elis.UGent.be
system manager
IMEC/INVOMEC - UGent/ELIS
ELIS - Ghent University - Ghent, Belgium
tel: +32/9/264.42.35 fax: +32/9/264.35.94 gsm: 0472/27.99.67
http://www.elis.UGent.be/RonnyBlomme
***********************************************************************
This e-mail and/or its attachments may contain confidential information.
It is intended solely for the intended addressee(s). Any use of the
information contained herein by other persons is prohibited.
Both IMEC vzw and Ghent University do not accept any liability for the
contents of this mail and/or its attachments.
--nextPart1387376.5Ih99hvroI
Content-Type: application/pgp-signature
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)
iD8DBQBFwzmrlJGXRew8H6QRAiMAAJ4sD0A0olRVaRx1kQlEniOAo4dvxwCfcFWj
vTnfFgTmmXVKENo7kV58xVs=
=Sqzf
-----END PGP SIGNATURE-----
--nextPart1387376.5Ih99hvroI--