[OpenAFS] refresh initial tokens

Ronny Blomme Ronny.Blomme+afs@elis.ugent.be
Fri, 2 Feb 2007 12:17:02 +0100 

I am setting up openafs-1.4.2 client and server on FC4 with heimdal-0.7.2. I replaced the kas-server with kdc.
When I login to this server with ssh, I get tickets/tokens (via /etc/pam.d/sshd).
These initial tokens can be refreshed once with "kinit -R", but the new tickets have no "Flag=R" and so these tokens cannot be refreshed:
# kinit -R
kinit: krb5_get_kdc_cred: KDC can't fulfill requested option

When I get renewable tokens with
# kinit --renewable
the "Flag=R" does not disapear, and I can "kinit -R" serveral times.

I think something is wrong with my pam-setup, but I have no idea...


# cat /etc/pam.d/sshd
auth        required      /lib/security/$ISA/pam_env.so
auth        sufficient    /lib/security/$ISA/pam_unix.so likeauth nullok
auth        sufficient    /lib/security/pam_krb5afs.so try_first_pass ignore_root
auth        required      /lib/security/$ISA/pam_deny.so
account    required     pam_nologin.so
account     required      /lib/security/$ISA/pam_unix.so
account     sufficient    /lib/security/$ISA/pam_succeed_if.so uid < 100 quiet
account     sufficient    /lib/security/$ISA/pam_krb5afs.so
account     required      /lib/security/$ISA/pam_permit.so
password    requisite     /lib/security/$ISA/pam_cracklib.so retry=3
password    sufficient    /lib/security/$ISA/pam_unix.so nullok use_authtok md5 shadow
password    sufficient    /lib/security/pam_krb5afs.so use_authtok
password    required      /lib/security/$ISA/pam_deny.so
session     required      /lib/security/$ISA/pam_limits.so
session     required      /lib/security/$ISA/pam_unix.so
session     optional      /lib/security/pam_krb5afs.so
session    required     pam_loginuid.so

# cat /etc/krb5.conf
[libdefaults]
        default_realm = ELIS.UGENT.BE
[realms]
        ELIS.UGENT.BE = {
                kdc = kerberos.elis.ugent.be:88
                admin_server = kerberos.elis.ugent.be:749
                kpasswd_server = kerberos.elis.ugent.be
                default_domain = elis.ugent.be
        }
[domain_realm]
        .elis.ugent.be = ELIS.UGENT.BE
        elis.ugent.be = ELIS.UGENT.BE
[kdc]
        enable-kaserver = yes
        enable-524 = yes
        afs-cell = elis.ugent.be
        v4-realm = ELIS.UGENT.BE
        use_2b = {
                afs@ELIS.UGENT.BE = yes
                afs/elis.ugent.be@ELIS.UGENT.BE = yes
        }
[logging]
        kdc = FILE:/var/log/heimdal-kdc.log
        kdc = SYSLOG:INFO
[kadmin]
        default_keys = des:afs3-salt:elis.ugent.be
        afs-cell = elis.ugent.be
[appdefaults]
  pam = {
    ELIS.UGENT.BE = {
      debug = true
      tokens = yes
      ticket_lifetime = 90000
      renew_lifetime = 90000
      forwardable = true
    }
  }
  afs_krb5 = {
    ELIS.UGENT.BE = {
         afs = true
         afs/elis.ugent.be = true
    }
  }

part of the /var/log/heimdal-kdc.log
>>>>>>>>>>> ssh logon
2007-02-01T18:34:31 AS-REQ rb2@ELIS.UGENT.BE from IPv4:157.193.204.1 for krbtgt/ELIS.UGENT.BE@ELIS.UGENT.BE
2007-02-01T18:34:31 Using des-cbc-crc/des-cbc-crc
2007-02-01T18:34:31 Requested flags: renewable, forwardable
2007-02-01T18:34:31 sending 552 bytes to IPv4:157.193.204.1
2007-02-01T18:34:31 524-REQ rb2@ELIS.UGENT.BE from IPv4:157.193.204.1 for krbtgt/ELIS.UGENT.BE@ELIS.UGENT.BE
2007-02-01T18:34:31 sending 1266 bytes to IPv4:157.193.204.1
2007-02-01T18:34:31 TGS-REQ rb2@ELIS.UGENT.BE from IPv4:157.193.204.1 for afs/elis.ugent.be@ELIS.UGENT.BE [renewable, forwardable]
2007-02-01T18:34:31 sending 516 bytes to IPv4:157.193.204.1
2007-02-01T18:34:31 524-REQ rb2@ELIS.UGENT.BE from IPv4:157.193.204.1 for afs/elis.ugent.be@ELIS.UGENT.BE
2007-02-01T18:34:31 sending 1266 bytes to IPv4:157.193.204.1
>>>>>>>>>>> first kinit -R
2007-02-01T18:34:51 TGS-REQ rb2@ELIS.UGENT.BE from IPv4:157.193.204.1 for krbtgt/ELIS.UGENT.BE@ELIS.UGENT.BE [renew, renewable]
2007-02-01T18:34:51 sending 527 bytes to IPv4:157.193.204.1
2007-02-01T18:34:51 TGS-REQ rb2@ELIS.UGENT.BE from IPv4:157.193.204.1 for afs@ELIS.UGENT.BE
2007-02-01T18:34:51 sending 493 bytes to IPv4:157.193.204.1
2007-02-01T18:34:51 524-REQ rb2@ELIS.UGENT.BE from IPv4:157.193.204.1 for afs@ELIS.UGENT.BE
2007-02-01T18:34:51 sending 1266 bytes to IPv4:157.193.204.1
>>>>>>>>>>> second kinit -R
2007-02-01T18:34:52 TGS-REQ rb2@ELIS.UGENT.BE from IPv4:157.193.204.1 for krbtgt/ELIS.UGENT.BE@ELIS.UGENT.BE [renew, renewable]
2007-02-01T18:34:52 Bad request for renewable ticket
2007-02-01T18:34:52 sending 135 bytes to IPv4:157.193.204.1




# rpm -qa | grep openafs
openafs-client-1.4.2-fc4.1
openafs-docs-1.4.2-fc4.1
openafs-devel-1.4.2-fc4.1
openafs-1.4.2-fc4.1
openafs-compat-1.4.2-fc4.1
openafs-kernel-smp-1.4.2-2.6.13_1.1532_FC4smp_1
openafs-krb5-1.4.2-fc4.1
openafs-server-1.4.2-fc4.1
openafs-authlibs-1.4.2-fc4.1

# rpm -qa | grep krb5
krb5-workstation-1.4.1-5
openafs-krb5-1.4.2-fc4.1
krb5-libs-1.4.1-5
pam_krb5-2.1.15-2


-- 
Ronny Blomme - Ronny.Blomme@elis.UGent.be
system manager
IMEC/INVOMEC - UGent/ELIS
ELIS - Ghent University - Ghent, Belgium
tel: +32/9/264.42.35 fax: +32/9/264.35.94 gsm: 0472/27.99.67
http://www.elis.UGent.be/RonnyBlomme

***********************************************************************
This e-mail and/or its attachments may contain confidential information.
It is intended solely for the intended addressee(s). Any use of the
information contained herein by other persons is prohibited.
Both IMEC vzw and Ghent University do not accept any liability for the
contents of this mail and/or its attachments.