[OpenAFS] Re: A problem with authentication

Sergio Gelato Sergio.Gelato@astro.su.se
Mon, 12 Mar 2007 19:28:23 +0100


* Dr A V Le Blanc [2007-03-12 14:58:12 +0000]:
> I wrote:
> > We have a very old AFS cell, installed with kaserver back in 1991,
> > and we later migrated to use heimdal instead of kaserver.  This was
> > working well with Debian sarge installations, which were our standard
> > setup until recently.  When we started upgrading some of our clients
> > to Debian etch (libpam-heimdal moves from 1.0-17 to 2.5-1), we're
> > seeing problems with some people getting failed login problems
> > repeatedly (in /var/log/auth.log we see 'Failed password for xxx').
> > If we change the pam library from libpam-heimdal to the MIT-based
> > libpam-krb5 (version 2.6-1), there are still some failures, but
> > not as many.
>=20
> Love H=F6rnquist =C5strand wrote:
> > Is it any corresponding error in the KDC log ?
>=20
[...]
> Is it normal to have over 2 million lines per day in the log file?

I have on the order of one hundred thousand, but it's a small realm
and you said your Windows client configuration was responsible for
most of yours. As long as the KDC can handle the load, why should
it be a problem?

> Because of the usage of the system, it's pretty hard to
> locate particular failures.  Here are two I think might correspond.
> In the log from sshd I find:
>=20
>      Mar 12 09:57:04 hostname sshd[26414]: Failed password for username f=
rom ipaddress port 1084 ssh2
>=20
> and at the same time in heimdal-kdc log I find:
>=20
>      AS-REQ username@REALMNAME from IPv4:ipaddress for krbtgt/REALMNAME@R=
EALMNAME
>      Using des-cbc-crc/des-cbc-crc
>      Requested flags: renewable_ok, proxiable, forwardable
>      sending 493 bytes to IPv4:ipaddress
>      AS-REQ username@REALMNAME from IPv4:ipaddress for krbtgt/REALMNAME@R=
EALMNAME
>      Using des-cbc-crc/des-cbc-crc
>      Requested flags: renewable_ok, proxiable, forwardable
>      sending 493 bytes to IPv4:ipaddress
>=20
> To me this looks as though the login ought to have succeeded.
> Any clarification welcome.

The TGT was indeed granted. Depending on your PAM configuration,
there may need to be a successful TGS-REQ for host/clienthost@REALMNAME
immediately afterwards. And the PAM module may return a failure
code for some other reason as well (e.g., in the account phase).
Did you try adding "debug" arguments to your PAM module invocations?
(You'll probably need to look at the source code for your PAM module
to make sense out of the resulting logs; but I've found it to be a
very helpful troubleshooting technique.)

I believe Debian's MIT-based PAM modules are more thoroughly tested
than libpam-heimdal, or at least they have a larger user base.