[OpenAFS] RHEL5, pam_afs, sshd; no token

Thu, 17 May 2007 19:39:15 -0400 (EDT)

I'm just getting my feet wet with RHEL5 on an x86_64 box, and built 
OpenAFS 1.4.4 by using 'rpmbuild' with the SRPM package for RHEL4.  It 
seemed to build completely cleanly, installed first time, and works fine 
when authenticating with klog.

When I tried inserting the call to pam_afs in /etc/pam.d/system-auth, it 
worked for console text logins (authenticated, and I have a token and a 
PAG), but for sshd I get logged in with no token or PAG.  Console logins 
with gdm seem to behave the same as SSH, but they are harder to debug.

My PAM config looks like this (which works on RHEL4)
system-auth:
auth        required      pam_env.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        sufficient    pam_afs.so try_first_pass ignore_root set_token debug
auth        requisite     pam_succeed_if.so uid >= 500 quiet
auth        required      pam_deny.so

I have SELinux disabled - I was getting flurries of strange errors logged 
before I turned that off.

I've tried various permutations of ordering, and options to pam_afs. 
Any ideas ?

Thanks
   Richard

Debug logs below

Debug log looks like this for SSH login:

May 17 19:07:45 newpolaris pam_afs[7833]: AFS Options: nowarn=0, use_first_pass=0, try_first_pass=1, ignore_uid = 1, 
ignore_uid_id = 0, refresh_token=0, set_token=1, dont_fork=0, use_klog=0
May 17 19:07:45 newpolaris pam_afs[7833]: AFS Username = `richard'
May 17 19:07:45 newpolaris pam_afs[7833]: AFS Trying first password for user richard
May 17 19:07:45 newpolaris pam_afs[7833]: New PAG created in pam_authenticate()
May 17 19:07:45 newpolaris pam_afs[7833]: forking ...
May 17 19:07:45 newpolaris pam_afs[7835]: in child
May 17 19:07:45 newpolaris pam_afs[7833]: in parent, waiting ...
May 17 19:07:45 newpolaris pam_afs[7835]: child: auth_ok=1
May 17 19:07:45 newpolaris pam_afs[7833]: parent: auth_ok=1
May 17 19:07:45 newpolaris pam_afs[7833]: leaving auth: auth_ok=1
May 17 19:07:45 newpolaris pam_afs: AFS Options: nowarn=0, 
use_first_pass=1, try_first_pass=0, ignore_uid = 1, ignore_uid_id = 0, 
refresh_token=8, set_token=8, dont_fork=8, use_klog=8
May 17 19:07:45 newpolaris pam_afs: AFS Establishing creds for user richard
May 17 19:07:45 newpolaris pam_afs: AFS Trying first password for user richard
May 17 19:07:45 newpolaris pam_afs: New PAG created in pam_setcred()
May 17 19:07:45 newpolaris sshd[7833]: Accepted password for richard from 129.170.16.93 port 34469 ssh2
May 17 19:07:45 newpolaris sshd: pam_unix(sshd:session): session opened for user richard by (uid=0)
May 17 19:07:45 newpolaris login: pam_unix(remote:session): session opened for user richard by root(uid=0)
May 17 19:07:45 newpolaris login: LOGIN ON pts/2 BY richard FROM sierra.dartmouth.edu

- and for console logins, which work correctly, it is almost identical:

  May 17 19:11:55 newpolaris pam_afs[4589]: AFS Options: nowarn=0, use_first_pass=0, try_first_pass=1, ignore_uid = 1, 
ignore_uid_id = 0, refresh_token=0, set_token=1, dont_fork=0, use_klog=0
May 17 19:11:55 newpolaris pam_afs[4589]: AFS Username = `richard'
May 17 19:11:55 newpolaris pam_afs[4589]: AFS Trying first password for user richard
May 17 19:11:55 newpolaris pam_afs[4589]: New PAG created in pam_authenticate()
May 17 19:11:55 newpolaris pam_afs[4589]: forking ...
May 17 19:11:55 newpolaris pam_afs[7869]: in child
May 17 19:11:55 newpolaris pam_afs[4589]: in parent, waiting ...
May 17 19:11:55 newpolaris pam_afs[7869]: child: auth_ok=1
May 17 19:11:55 newpolaris pam_afs[4589]: parent: auth_ok=1
May 17 19:11:55 newpolaris pam_afs[4589]: leaving auth: auth_ok=1
May 17 19:11:55 newpolaris pam_afs: AFS Options: nowarn=0, 
use_first_pass=1, try_first_pass=0, ignore_uid = 1, ignore_uid_id = 0, 
refresh_token=8, set_token=8, dont_fork=8, use_klog=8
May 17 19:11:55 newpolaris pam_afs: AFS Establishing creds for user richard
May 17 19:11:55 newpolaris pam_afs: AFS Trying first password for user richard
May 17 19:11:55 newpolaris pam_afs: New PAG created in pam_setcred()
May 17 19:11:55 newpolaris  -- richard: LOGIN ON tty1 BY richard
May 17 19:11:55 newpolaris login[4589]: pam_unix(login:session): session opened for user richard by LOGIN(uid=0)
May 17 19:11:55 newpolaris  -- richard: LOGIN ON tty1 BY richard

-- 
Richard Brittain,  Kiewit Computing Services, 6224 Baker/Berry Library
                    Dartmouth College, Hanover NH 03755
Email: richard.brittain@dartmouth.edu