[OpenAFS] pam_krb5 gets no tokens

Moritz Bunse bunse@physik.uni-dortmund.de
Mon, 14 Jan 2008 19:38:37 +0100

I hope you can help me:

We have an AFS cell and a kerberos server with public IPs.  Cluster  
worker nodes are located in a private subnet. It is possible to do  
passwordless login from one PC (SL3) to another, as long these are  
not located in the private subnet.

But If I try to login from one PC with 2 interfaces, one in the  
public ip range and one in the private one, to a worker node (SL4) in  
the private subnet, one gets:

Could not chdir to home directory [...] Permission denied

Default principal: me@REALM

Valid starting     Expires            Service principal
01/14/08 19:27:36  01/15/08 14:17:40  krbtgt/REALM@REALM

Kerberos 4 ticket cache: /tmp/tktXXXX
Principal: me@ REALM

   Issued              Expires             Principal
01/14/08 17:35:22  01/15/08 19:01:43  krbtgt.REALM@REALM

aklog: Couldn't get e4.physik.uni-dortmund.de AFS tickets:
aklog: Incorrect net address while getting AFS tickets

 From pam_krb5 we get:

Jan 14 18:58:17 XXXXX sshd[10573]: pam_krb5[10573]: got error -1  
(Unknown code
  ____ 255) while obtaining tokens for afs.cell


Jan 14 11:08:27 kerberos krb5kdc[1386]: TGS_REQ (1 etypes {1}) PROCESS_TGS: authtime 0,  <unknown client> for afs/ 
realm@REALM, Incorrect net address

/etc/krb5.conf of a worker node located in the private subnet:

  default_realm = REALM
  ticket_lifetime = 25h
  renew_lifetime = 120h
  forwardable = true
  proxiable = true
  noaddresses = true

  REALM = {
   kdc = kerberos.realm
   kpasswd_server = kerberos. realm
   admin_server = kerberos. realm

  . realm = REALM
  realm = REALM

; options for Red Hat pam_krb5-2
  pam = {
    debug = true
    external = true
    ticket_lifetime = 25h
    afs_cells = afs.cell

If you have any idea please let me know.

Thanks in advance,