[OpenAFS] pam errors login... win2003AD krb5 server
Lars Schimmer
l.schimmer@cgv.tugraz.at
Sat, 09 Jun 2007 12:31:58 +0200
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Russ Allbery wrote:
> Lars Schimmer <l.schimmer@cgv.tugraz.at> writes:
>=20
>> I changed krb5 server from MIT to Win 2003 AD (on another PC). So I
>> only changed the name of the krb5 server in the krb5.conf and rebooted.
>> LogIn as root and kinit user /aklog obtained me tickets/tokens. Login
>> via gdm/pam doesn=B4t do well (it works with MIT krb5 server, not with
>> Win2003AD). Syslog tells me this:
>=20
>> Jun 8 09:30:01 testpc CRON[5056]: (pam_krb5): none: pam_sm_acct_mgmt:
>> entry (0x8000)
>> Jun 8 09:30:01 testpc CRON[5056]: (pam_krb5): none: skipping
>> non-Kerberos login
>> Jun 8 09:30:01 testpc CRON[5056]: (pam_krb5): none: pam_sm_acct_mgmt:
>> exit (success)
>> Jun 8 09:30:01 testpc CRON[5056]: (pam_krb5): none: pam_sm_setcred:
>> entry (0x2)
>> Jun 8 09:30:01 testpc CRON[5056]: (pam_krb5): none: no context found,
>> creating one
>> Jun 8 09:30:01 testpc CRON[5056]: (pam_krb5): none: ignoring root use=
r
>=20
> Those syslog messages are all from cron running session hooks before
> jobs. We'd need to see the log messages from gdm to figure out what's
> wrong with gdm.
Ok, I set debug info of gdm to enable. Some more info, but not much.
I switched from MIT krb5 server to Win2003 AD server.
I can login to "debian etch" linux as root, kinit schimmer/aklog and go
to my AFS space, all fine with the correct token.
While trying to login with gdm it prints out this errors:
Jun 9 12:26:56 testpc gdm[3320]: set config key debug/Enable to boolean
true
Jun 9 12:26:56 testpc gdm[3320]: Handling user message: 'CLOSE'
Jun 9 12:27:01 testpc gdm[3326]: (pam_krb5): none: pam_sm_authenticate:
entry (0x0)
Jun 9 12:27:03 testpc gdm[3326]: (pam_krb5): schimmer: credential
verification failed: Key table entry not found
Jun 9 12:27:03 testpc gdm[3326]: (pam_krb5): schimmer:
pam_sm_authenticate: exit (failure)
Jun 9 12:27:03 testpc gdm[3320]: Handling message: 'QUERYLOGIN 3326
schimmer'
Jun 9 12:27:03 testpc gdm[3320]: Got QUERYLOGIN schimmer
Jun 9 12:27:03 testpc gdm[3326]: (pam_krb5): none: pam_sm_acct_mgmt:
entry (0x0)
Jun 9 12:27:03 testpc gdm[3326]: (pam_krb5): none: skipping
non-Kerberos login
Jun 9 12:27:03 testpc gdm[3326]: (pam_krb5): none: pam_sm_acct_mgmt:
exit (success)
Jun 9 12:27:03 testpc gdm[3326]: (pam_krb5): none: pam_sm_setcred:
entry (0x2)
Jun 9 12:27:03 testpc gdm[3326]: (pam_krb5): none: no context found,
creating one
Jun 9 12:27:03 testpc gdm[3326]: (pam_krb5): schimmer: unable to get
PAM_KRB5CCNAME, assuming non-Kerberos login
Jun 9 12:27:03 testpc gdm[3326]: (pam_krb5): none: pam_sm_setcred: exit
(success)
Jun 9 12:27:03 testpc gdm[3326]: (pam_krb5): none: pam_sm_setcred:
entry (0x2)
Jun 9 12:27:03 testpc gdm[3326]: (pam_krb5): none: no context found,
creating one
Jun 9 12:27:03 testpc gdm[3326]: (pam_krb5): schimmer: unable to get
PAM_KRB5CCNAME, assuming non-Kerberos login
Jun 9 12:27:03 testpc gdm[3326]: (pam_krb5): none: pam_sm_setcred: exit
(success)
Jun 9 12:27:03 testpc gdm[3326]: pam_openafs-krb5: open_session: Could
not find Kerberos tickets; not running aklog
Jun 9 12:27:03 testpc gdm[3320]: Handling message: 'LOGGED_IN 3326 1'
kdm didn=B4t even worked on etch with MIT krb5 server, but gdm worked til
the switch to wind AD 2003.
MfG,
Lars Schimmer
- --
- -------------------------------------------------------------
TU Graz, Institut f=FCr ComputerGraphik & WissensVisualisierung
Tel: +43 316 873-5405 E-Mail: l.schimmer@cgv.tugraz.at
Fax: +43 316 873-5402 PGP-Key-ID: 0x4A9B1723
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFGaoGemWhuE0qbFyMRAtyIAJ0W3VCcjCZQGFKKjdwUz2RMRTV+9gCeIRCE
HsuFbeG5rX9ECfpfyi2+CvI=3D
=3D1L5N
-----END PGP SIGNATURE-----