[OpenAFS] ssh and afs

Sergio Gelato Sergio.Gelato@astro.su.se
Wed, 26 Mar 2008 11:01:33 +0100


* sabah salih [2008-03-25 13:47:23 +0000]:
>  I installed SL43 last week with "heimdal"
>=20
> openafs-krb5-1.4.4-46.SL4
> kernel-module-openafs-2.6.9-34.EL-1.4.0-8.SL
> openafs-firstboot-1.2.11-5.SL
> openafs-1.4.4-46.SL4
> openafs-kpasswd-1.4.4-46.SL4
> openafs-client-1.4.4-46.SL4
> kernel-module-openafs-2.6.9-67.0.4.EL-1.4.4-46.SL4
> openafs-compat-1.4.4-46.SL4
> openafs-devel-1.4.4-46.SL4
>=20
>  heimdal-tools-0.6.3-11.SL4
>  heimdal-0.6.3-11.SL4
>  heimdal-devel-0.6.3-11.SL4
>  heimdal-lib-0.6.3-11.SL4
>  pam_heimdal-1.3-rc7.9
>=20
>  and krb5
> openafs-krb5-1.4.4-46.SL4
> pam_krb5-2.1.8-1
> krb5-devel-1.3.4-49
> krb5-workstation-1.3.4-49
> krb5-libs-1.3.4-49
> krb5-auth-dialog-0.2-1

You don't mention the version of ssh. Since we're talking about rather
old software, it could be that you're rediscovering old bugs.

> system-auth
>=20
> auth        required      /lib/security/$ISA/pam_env.so
> auth        sufficient    /lib/security/$ISA/pam_unix.so likeauth nullok
> #
> auth        sufficient    /lib/security/$ISA/pam_heimdalafs.so=20
> try_first_pass
> auth        required      /lib/security/$ISA/pam_deny.so
>=20
> account     required      /lib/security/$ISA/pam_unix.so
> account     sufficient    /lib/security/$ISA/pam_succeed_if.so uid < 100=
=20
> quiet
> account     required      /lib/security/$ISA/pam_permit.so
>=20
> password    requisite     /lib/security/$ISA/pam_cracklib.so retry=3D3
> password    sufficient    /lib/security/$ISA/pam_unix.so nullok=20
> use_authtok md5 shadow
> #
> password    sufficient    /lib/security/pam_heimdalafs.so=20
> try_first_pass
> password    required      /lib/security/$ISA/pam_deny.so
>=20
> session     required      /lib/security/$ISA/pam_limits.so
> session     required      /lib/security/$ISA/pam_unix.so
> #
> session     required      /lib/security/pam_heimdalafs.so=20
> try_first_pass

Some of these modules accept the "debug" option. In particular, I would
try it on the pam_heimdalafs invocations. To make sense of the results
you'll need to also look at the module's source code.

It looks from the version number as if this might be the sourceforge
module by Bal=E1zs G=E1l. Back when I was using it, I had to fix a few bugs
to make it work. Nowadays you'd probably be better off picking another
module or two. For SL4, I know at least one site that's successfully
using pam_krb5afs.so from pam_krb5-2.2.8-1.3.cern in conjunction with
openssh-4.3p2-4.cern; one needs to invoke pam_krb5afs.so with
"external=3Dsshd" as an argument.

>  and I had no problem to login direct or via ssh
>  and get afs token.
>=20
>  On Friday I installed another machine with openafs,
>  krb5 , and kernel update. but the same heimdal and
>  system-auth file
>=20
>   with updated machine I can login direct and have
>   no problem. However when I try to ssh I get
>   disconnected and message in the log showes
>=20
>  Mar 24 18:58:42 pc26 sshd[9861]: Accepted password for sabah from=20
> ::ffff:194.36. 3.178 port 60142 ssh2
> Mar 24 18:58:42 pc26 sshd[9868]: fatal: PAM: pam_open_session():=20
> Authentication service cannot retrieve user credentials
>=20
>=20
>  Has anyone seen this?
>  Does anyone know how it could be fixed please?
>=20
>=20
>  Many Thanks, Sabah.
>=20
> --=20
> *********************************************************
> *	From Sabah Salih				*
> *	The School of Physics and Astronomy,		*
> *	The University of Manchester,			*
> * 	Schuster Laboratory,				*
> *	Brunswick Street,				*
> *	Manchester M13 9PL.				*
> *     Tel: +44 1612754171 or  x4171			*
> *     E-mail: sabah.salih@manchester.ac.uk		*
> *							*
> *********************************************************
>=20
>=20
>=20