[OpenAFS] Solaris 10 (x86): pam_afs_session

Douglas E. Engert deengert@anl.gov
Fri, 22 Feb 2008 13:49:08 -0600


John Tang Boyland wrote:
> ] Russ Allbery wrote:
> ] > John Tang Boyland <boyland@cs.uwm.edu> writes:
> ] > 
> ] >> ] It looks like you're not running pam_krb5 in the session stack.  pam_krb5
> ] >> ] should be listed in the session stack before pam_afs_session, and that
> ] >> ] will probably fix the problem.
> ] >>
> ] >> (BTW: This is Sun-provided pam_krb5)
> ] > 
> ] > Ah, hm.  I wonder if the Sun-provided pam_krb5 won't write out the ticket
> ] > cache during pam_open_session the way that mine will.
> ] > 
> ] > You may have to try Unix first and then try pam_krb5 so that you can put
> ] > pam_afs_session into the auth group.  Something like:
> ] > 
> ] > dtlogin   auth requisite          pam_authtok_get.so.1
> ] > dtlogin   auth required           pam_dhkeys.so.1
> ] > dtlogin   auth required           pam_unix_cred.so.1
> ] > dtlogin   auth sufficient         pam_unix_auth.so.1
> ] > dtlogin   auth required           pam_krb5.so.1
> ] > dtlogin   auth required           pam_afs_session.so.1
> ] 
> ] I believe you are correct. As a test I built the pam_afs_session-1.5
> ] on Solaris 10, (sparc) using the Sun Kerberos, and OpenAFS 1.4.6
> ] as I have been meaning to do this for some time to see if it could
> ] replace pam_afs2. I  then modified /etc/pam.conf to call pam_afs_session
> ] in a few places, (but not all yet) In all cases it is using the pam_sm_setcred
> ] routine to set pag and/or get a token.
> ] 


What shows up in /var/adm/messages if the /etc/pam.conf has:

dtlogin     auth requisite      pam_authtok_get.so.1 debug
dtlogin     auth required       pam_dhkeys.so.1 debug
dtlogin     auth required       pam_unix_cred.so.1 debug
dtlogin     auth optional       pam_krb5.so.1  debug
dtlogin     auth required       /krb5/lib/pam_afs_session.so.1 debug
dtlogin     auth optional       pam_unix_auth.so.1 debug

On my system the interesting lines contain:
dtlogin[2604]: [ID 655841 user.debug] PAM-KRB5 (auth): pam_sm_authenticate flags=0
dtlogin[2604]: [ID 549540 user.debug] PAM-KRB5 (auth): attempt_krb5_auth: start: user='myusername'
dtlogin[2604]: [ID 179272 user.debug] PAM-KRB5 (auth): attempt_krb5_auth: krb5_get_init_creds_password returns:
  SUCCESS
dtlogin[2604]: [ID 833335 user.debug] PAM-KRB5 (auth): attempt_krb5_auth returning 0
dtlogin[2604]: [ID 914654 user.debug] PAM-KRB5 (auth): pam_sm_auth finalize ccname env, result =0, env ='KRB5CC
NAME=FILE:/tmp/krb5cc_1000', age = 0, status = 0
dtlogin[2604]: [ID 525286 user.debug] PAM-KRB5 (auth): end: Success


dtlogin[2619]: [ID 629253 user.debug] PAM-KRB5 (setcred): start: nowarn = 0, flags = 0x1
dtlogin[2619]: [ID 586274 user.debug] PAM-KRB5 (setcred): kmd auth_status: Success
dtlogin[2619]: [ID 522831 user.debug] PAM-KRB5 (setcred): attempt_refresh: set uid of user 'myusername'
dtlogin[2619]: [ID 156909 user.debug] PAM-KRB5 (setcred): User not in cred cache (No credentials cache file fou
nd)

(The above says it did not find the /tmp/krb5cc_1000, so had to create the file.
If there was a preexisting /tmp/krb5cc_1000 it would have "refreshed" the creds.)

dtlogin[2619]: [ID 735350 user.debug] PAM-KRB5 (setcred): end: Success
dtlogin[2619]: [ID 237248 user.debug] (pam_afs_session): pam_sm_setcred: entry (0x1)
dtlogin[2619]: [ID 237248 user.debug] (pam_afs_session): running /usr/afsws/bin/aklog as UID 1000
aklog[2620]: [ID 218067 user.debug] pkcs11_softtoken: Keystore access failed.
dtlogin[2619]: [ID 237248 user.debug] (pam_afs_session): pam_sm_setcred: exit (success)


Note that pam_krb5 with the setcred was called, and save the cache.
Then pam_afs_session was called from the setcred and called aklog that worked.



> ] #DEE smartcard failed, so skip it for now
> ] #dtlogin    auth requisite      pam_smartcard.so.1
> ] dtlogin     auth requisite      pam_authtok_get.so.1
> ] dtlogin     auth required       pam_dhkeys.so.1
> ] dtlogin     auth required       pam_unix_cred.so.1
> ] dtlogin     auth optional       pam_krb5.so.1
> ] dtlogin     auth required       /krb5/lib/pam_afs_session.so.1 debug
> ] #dtlogin        auth required       /krb5/lib/pam_afs2.so.1
> ] # allows password login
> ] dtlogin     auth optional       pam_unix_auth.so.1
> ] 
> ] #
> ] # dtsession - lock/unlock screen, refresh creds and AFS token
> ] #
> ] dtsession   auth requisite      pam_authtok_get.so.1
> ] dtsession   auth required       pam_dhkeys.so.1
> ] dtsession   auth optional       pam_krb5.so.1
> ] dtsession   auth required       /krb5/lib/pam_afs_session.so.1 debug
> ] #dtsession  auth required       /krb5/lib/pam_afs2.so.1 nopag
> ] # allows unlock with local password
> ] dtsession   auth optional       pam_unix_auth.so.1
> ] 
> ] #
> ] # xscreensaver used by gnome or CDE
> ] #
> ] xscreensaver    auth requisite      pam_authtok_get.so.1
> ] xscreensaver    auth required       pam_dhkeys.so.1
> ] xscreensaver    auth optional       pam_krb5.so.1
> ] xscreensaver    auth required       /krb5/lib/pam_afs_session.so.1 debug
> ] #xscreensaver    auth required      /krb5/lib/pam_afs2.so.1  nopag
> ] # allows unlock with local password
> ] xscreensaver    auth optional       pam_unix_auth.so.1
> ] #
> ] 
> ] -- 
> ] 
> ]   Douglas E. Engert  <DEEngert@anl.gov>
> ]   Argonne National Laboratory
> ]   9700 South Cass Avenue
> ]   Argonne, Illinois  60439
> ]   (630) 252-5444
> 
> Sorry, I finally have time to reply to this.  I tried both
> suggestions but neither worked.  It still writes out
> the kerberos token after calling pam_afs_session.
> 
> This is specific to dtlogin, sshd does fine.
> 
> The workaround to log in twice: first in failsafe session,
> immediately log out, and then log in using the normal session.
> 
> John
> 
> 
> _______________________________________________
> OpenAFS-info mailing list
> OpenAFS-info@openafs.org
> https://lists.openafs.org/mailman/listinfo/openafs-info
> 
> 

-- 

  Douglas E. Engert  <DEEngert@anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444