[OpenAFS] Probleme with aklog

Douglas E. Engert deengert@anl.gov
Mon, 19 Feb 2007 10:14:56 -0600 

Your test looks strange, as the same ticket cache (based on on your
uid I assume) is being used in both the kinit and the ssh examples and the 
tickets have the same time. This would indicate the SSH did not
gt you a kerberos ticket, of if it did it stored it in some
other cache, and did not set the KRB5CCNAME.
You may want to check your sshd_config, and your PAM configurations.

The PAM_*afs*routines  should only get a token if the ssh got
a  kerberos ticket.



El Barto wrote:
>  Hello,
> 
>  I'm getting troubles to access my afs folders after loggin with
> pam_openafs_session.so (with using aklog).
>  I'm running Debian Etch with custom kernel 2.6.18
> and openafs 1.4.2-4.
> 
>  When I use kinit, I get the correct kerberos and afs tickets and
> tokens :
> 
> vadot_e@test-linux:~$ kinit 
> vadot_e@EPITECH.NET's Password: 
> vadot_e@test-linux:~$ klist 
> Credentials cache: FILE:/tmp/krb5cc_38257
>         Principal: vadot_e@EPITECH.NET
> 
>   Issued           Expires          Principal
> Feb 19 11:25:28  Feb 19 22:25:47  krbtgt/EPITECH.NET@EPITECH.NET
> Feb 19 11:25:28  Feb 19 22:25:47  afs@EPITECH.NET
> vadot_e@test-linux:~$ tokens 
> 
> Tokens held by the Cache Manager:
> 
> User's (AFS ID 38257) tokens for afs@EPITECH.NET [Expires Feb 19 22:49]
>    --End of list--
> vadot_e@test-linux:~$ 
> 
>  When I log with ssh, I do not obtain afs tokens but I do obtain
> kerberos tickets, and if I type aklog I obtain wrong afs tokens and I
> got a Permission denied on my folders :
> 
> elbarto@arcadia> ssh vadot_e@10.242.42.93
> vadot_e@10.242.42.93's password: 
> Linux linux-pourri 2.6.18-3-686 #1 SMP Mon Dec 4 16:41:14 UTC 2006 i686
> 
> The programs included with the Debian GNU/Linux system are free
> software; the exact distribution terms for each program are described
> in the individual files in /usr/share/doc/*/copyright.
> 
> Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
> permitted by applicable law.
> Last login: Mon Feb 19 12:22:37 2007 from arcadia.staff.epita.fr
> vadot_e@test-linux:~$ klist 
> Credentials cache: FILE:/tmp/krb5cc_38257
>         Principal: vadot_e@EPITECH.NET
> 
>   Issued           Expires          Principal
> Feb 19 11:25:28  Feb 19 22:25:47  krbtgt/EPITECH.NET@EPITECH.NET
> Feb 19 11:25:28  Feb 19 22:25:47  afs@EPITECH.NET
> vadot_e@test-linux:~$ tokens 
> 
> Tokens held by the Cache Manager:
> 
>    --End of list--
> vadot_e@test-linux:~$ aklog 
> vadot_e@test-linux:~$ tokens 
> 
> Tokens held by the Cache Manager:
> 
> User's (AFS ID 38257) tokens for afs@epitech.net [Expires Feb 19 22:25]
>    --End of list--
> vadot_e@test-linux:~$ ls -l /afs/epitech.net/users/ept4/vadot_e/
> ls: /afs/epitech.net/users/ept4/vadot_e/: Permission denied
> vadot_e@test-linux:~$ 
> 
>  When I log on physical on the computer it do the same than ssh except
> I automatically got afs tokens without typing aklog. There is a
> problem for the ssh login but my question is not there.
> 
>  Why do I got tokens @epitech.net with aklog and @EPITECH.NET (which
> works) with kinit ? Do I got something wrong in my openafs
> configuration ?
> 
>  Many thanks and sorry for the long post.
> 

-- 

  Douglas E. Engert  <DEEngert@anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444