[OpenAFS] pam errors login... win2003AD krb5 server

Lars Schimmer l.schimmer@cgv.tugraz.at
Sat, 09 Jun 2007 12:31:58 +0200


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Russ Allbery wrote:
> Lars Schimmer <l.schimmer@cgv.tugraz.at> writes:
>=20
>> I changed krb5 server from MIT to Win 2003 AD (on another PC).  So I
>> only changed the name of the krb5 server in the krb5.conf and rebooted.
>> LogIn as root and kinit user /aklog obtained me tickets/tokens.  Login
>> via gdm/pam doesn=B4t do well (it works with MIT krb5 server, not with
>> Win2003AD). Syslog tells me this:
>=20
>> Jun  8 09:30:01 testpc CRON[5056]: (pam_krb5): none: pam_sm_acct_mgmt:
>> entry (0x8000)
>> Jun  8 09:30:01 testpc CRON[5056]: (pam_krb5): none: skipping
>> non-Kerberos login
>> Jun  8 09:30:01 testpc CRON[5056]: (pam_krb5): none: pam_sm_acct_mgmt:
>> exit (success)
>> Jun  8 09:30:01 testpc CRON[5056]: (pam_krb5): none: pam_sm_setcred:
>> entry (0x2)
>> Jun  8 09:30:01 testpc CRON[5056]: (pam_krb5): none: no context found,
>> creating one
>> Jun  8 09:30:01 testpc CRON[5056]: (pam_krb5): none: ignoring root use=
r
>=20
> Those syslog messages are all from cron running session hooks before
> jobs.  We'd need to see the log messages from gdm to figure out what's
> wrong with gdm.

Ok, I set debug info of gdm to enable. Some more info, but not much.
I switched from MIT krb5 server to Win2003 AD server.
I can login to "debian etch" linux as root, kinit schimmer/aklog and go
to my AFS space, all fine with the correct token.
While trying to login with gdm it prints out this errors:

Jun  9 12:26:56 testpc gdm[3320]: set config key debug/Enable to boolean
true
Jun  9 12:26:56 testpc gdm[3320]: Handling user message: 'CLOSE'
Jun  9 12:27:01 testpc gdm[3326]: (pam_krb5): none: pam_sm_authenticate:
entry (0x0)
Jun  9 12:27:03 testpc gdm[3326]: (pam_krb5): schimmer: credential
verification failed: Key table entry not found
Jun  9 12:27:03 testpc gdm[3326]: (pam_krb5): schimmer:
pam_sm_authenticate: exit (failure)
Jun  9 12:27:03 testpc gdm[3320]: Handling message: 'QUERYLOGIN 3326
schimmer'
Jun  9 12:27:03 testpc gdm[3320]: Got QUERYLOGIN schimmer
Jun  9 12:27:03 testpc gdm[3326]: (pam_krb5): none: pam_sm_acct_mgmt:
entry (0x0)
Jun  9 12:27:03 testpc gdm[3326]: (pam_krb5): none: skipping
non-Kerberos login
Jun  9 12:27:03 testpc gdm[3326]: (pam_krb5): none: pam_sm_acct_mgmt:
exit (success)
Jun  9 12:27:03 testpc gdm[3326]: (pam_krb5): none: pam_sm_setcred:
entry (0x2)
Jun  9 12:27:03 testpc gdm[3326]: (pam_krb5): none: no context found,
creating one
Jun  9 12:27:03 testpc gdm[3326]: (pam_krb5): schimmer: unable to get
PAM_KRB5CCNAME, assuming non-Kerberos login
Jun  9 12:27:03 testpc gdm[3326]: (pam_krb5): none: pam_sm_setcred: exit
(success)
Jun  9 12:27:03 testpc gdm[3326]: (pam_krb5): none: pam_sm_setcred:
entry (0x2)
Jun  9 12:27:03 testpc gdm[3326]: (pam_krb5): none: no context found,
creating one
Jun  9 12:27:03 testpc gdm[3326]: (pam_krb5): schimmer: unable to get
PAM_KRB5CCNAME, assuming non-Kerberos login
Jun  9 12:27:03 testpc gdm[3326]: (pam_krb5): none: pam_sm_setcred: exit
(success)
Jun  9 12:27:03 testpc gdm[3326]: pam_openafs-krb5: open_session: Could
not find Kerberos tickets; not running aklog
Jun  9 12:27:03 testpc gdm[3320]: Handling message: 'LOGGED_IN 3326 1'

kdm didn=B4t even worked on etch with MIT krb5 server, but gdm worked til
the switch to wind AD 2003.

MfG,
Lars Schimmer
- --
- -------------------------------------------------------------
TU Graz, Institut f=FCr ComputerGraphik & WissensVisualisierung
Tel: +43 316 873-5405       E-Mail: l.schimmer@cgv.tugraz.at
Fax: +43 316 873-5402       PGP-Key-ID: 0x4A9B1723
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFGaoGemWhuE0qbFyMRAtyIAJ0W3VCcjCZQGFKKjdwUz2RMRTV+9gCeIRCE
HsuFbeG5rX9ECfpfyi2+CvI=3D
=3D1L5N
-----END PGP SIGNATURE-----