[OpenAFS] Solaris 10 (x86): pam_afs_session
Douglas E. Engert
deengert@anl.gov
Fri, 22 Feb 2008 13:49:08 -0600
John Tang Boyland wrote:
> ] Russ Allbery wrote:
> ] > John Tang Boyland <boyland@cs.uwm.edu> writes:
> ] >
> ] >> ] It looks like you're not running pam_krb5 in the session stack. pam_krb5
> ] >> ] should be listed in the session stack before pam_afs_session, and that
> ] >> ] will probably fix the problem.
> ] >>
> ] >> (BTW: This is Sun-provided pam_krb5)
> ] >
> ] > Ah, hm. I wonder if the Sun-provided pam_krb5 won't write out the ticket
> ] > cache during pam_open_session the way that mine will.
> ] >
> ] > You may have to try Unix first and then try pam_krb5 so that you can put
> ] > pam_afs_session into the auth group. Something like:
> ] >
> ] > dtlogin auth requisite pam_authtok_get.so.1
> ] > dtlogin auth required pam_dhkeys.so.1
> ] > dtlogin auth required pam_unix_cred.so.1
> ] > dtlogin auth sufficient pam_unix_auth.so.1
> ] > dtlogin auth required pam_krb5.so.1
> ] > dtlogin auth required pam_afs_session.so.1
> ]
> ] I believe you are correct. As a test I built the pam_afs_session-1.5
> ] on Solaris 10, (sparc) using the Sun Kerberos, and OpenAFS 1.4.6
> ] as I have been meaning to do this for some time to see if it could
> ] replace pam_afs2. I then modified /etc/pam.conf to call pam_afs_session
> ] in a few places, (but not all yet) In all cases it is using the pam_sm_setcred
> ] routine to set pag and/or get a token.
> ]
What shows up in /var/adm/messages if the /etc/pam.conf has:
dtlogin auth requisite pam_authtok_get.so.1 debug
dtlogin auth required pam_dhkeys.so.1 debug
dtlogin auth required pam_unix_cred.so.1 debug
dtlogin auth optional pam_krb5.so.1 debug
dtlogin auth required /krb5/lib/pam_afs_session.so.1 debug
dtlogin auth optional pam_unix_auth.so.1 debug
On my system the interesting lines contain:
dtlogin[2604]: [ID 655841 user.debug] PAM-KRB5 (auth): pam_sm_authenticate flags=0
dtlogin[2604]: [ID 549540 user.debug] PAM-KRB5 (auth): attempt_krb5_auth: start: user='myusername'
dtlogin[2604]: [ID 179272 user.debug] PAM-KRB5 (auth): attempt_krb5_auth: krb5_get_init_creds_password returns:
SUCCESS
dtlogin[2604]: [ID 833335 user.debug] PAM-KRB5 (auth): attempt_krb5_auth returning 0
dtlogin[2604]: [ID 914654 user.debug] PAM-KRB5 (auth): pam_sm_auth finalize ccname env, result =0, env ='KRB5CC
NAME=FILE:/tmp/krb5cc_1000', age = 0, status = 0
dtlogin[2604]: [ID 525286 user.debug] PAM-KRB5 (auth): end: Success
dtlogin[2619]: [ID 629253 user.debug] PAM-KRB5 (setcred): start: nowarn = 0, flags = 0x1
dtlogin[2619]: [ID 586274 user.debug] PAM-KRB5 (setcred): kmd auth_status: Success
dtlogin[2619]: [ID 522831 user.debug] PAM-KRB5 (setcred): attempt_refresh: set uid of user 'myusername'
dtlogin[2619]: [ID 156909 user.debug] PAM-KRB5 (setcred): User not in cred cache (No credentials cache file fou
nd)
(The above says it did not find the /tmp/krb5cc_1000, so had to create the file.
If there was a preexisting /tmp/krb5cc_1000 it would have "refreshed" the creds.)
dtlogin[2619]: [ID 735350 user.debug] PAM-KRB5 (setcred): end: Success
dtlogin[2619]: [ID 237248 user.debug] (pam_afs_session): pam_sm_setcred: entry (0x1)
dtlogin[2619]: [ID 237248 user.debug] (pam_afs_session): running /usr/afsws/bin/aklog as UID 1000
aklog[2620]: [ID 218067 user.debug] pkcs11_softtoken: Keystore access failed.
dtlogin[2619]: [ID 237248 user.debug] (pam_afs_session): pam_sm_setcred: exit (success)
Note that pam_krb5 with the setcred was called, and save the cache.
Then pam_afs_session was called from the setcred and called aklog that worked.
> ] #DEE smartcard failed, so skip it for now
> ] #dtlogin auth requisite pam_smartcard.so.1
> ] dtlogin auth requisite pam_authtok_get.so.1
> ] dtlogin auth required pam_dhkeys.so.1
> ] dtlogin auth required pam_unix_cred.so.1
> ] dtlogin auth optional pam_krb5.so.1
> ] dtlogin auth required /krb5/lib/pam_afs_session.so.1 debug
> ] #dtlogin auth required /krb5/lib/pam_afs2.so.1
> ] # allows password login
> ] dtlogin auth optional pam_unix_auth.so.1
> ]
> ] #
> ] # dtsession - lock/unlock screen, refresh creds and AFS token
> ] #
> ] dtsession auth requisite pam_authtok_get.so.1
> ] dtsession auth required pam_dhkeys.so.1
> ] dtsession auth optional pam_krb5.so.1
> ] dtsession auth required /krb5/lib/pam_afs_session.so.1 debug
> ] #dtsession auth required /krb5/lib/pam_afs2.so.1 nopag
> ] # allows unlock with local password
> ] dtsession auth optional pam_unix_auth.so.1
> ]
> ] #
> ] # xscreensaver used by gnome or CDE
> ] #
> ] xscreensaver auth requisite pam_authtok_get.so.1
> ] xscreensaver auth required pam_dhkeys.so.1
> ] xscreensaver auth optional pam_krb5.so.1
> ] xscreensaver auth required /krb5/lib/pam_afs_session.so.1 debug
> ] #xscreensaver auth required /krb5/lib/pam_afs2.so.1 nopag
> ] # allows unlock with local password
> ] xscreensaver auth optional pam_unix_auth.so.1
> ] #
> ]
> ] --
> ]
> ] Douglas E. Engert <DEEngert@anl.gov>
> ] Argonne National Laboratory
> ] 9700 South Cass Avenue
> ] Argonne, Illinois 60439
> ] (630) 252-5444
>
> Sorry, I finally have time to reply to this. I tried both
> suggestions but neither worked. It still writes out
> the kerberos token after calling pam_afs_session.
>
> This is specific to dtlogin, sshd does fine.
>
> The workaround to log in twice: first in failsafe session,
> immediately log out, and then log in using the normal session.
>
> John
>
>
> _______________________________________________
> OpenAFS-info mailing list
> OpenAFS-info@openafs.org
> https://lists.openafs.org/mailman/listinfo/openafs-info
>
>
--
Douglas E. Engert <DEEngert@anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444