[OpenAFS] ssh and afs
Sergio Gelato
Sergio.Gelato@astro.su.se
Wed, 26 Mar 2008 11:01:33 +0100
* sabah salih [2008-03-25 13:47:23 +0000]:
> I installed SL43 last week with "heimdal"
>=20
> openafs-krb5-1.4.4-46.SL4
> kernel-module-openafs-2.6.9-34.EL-1.4.0-8.SL
> openafs-firstboot-1.2.11-5.SL
> openafs-1.4.4-46.SL4
> openafs-kpasswd-1.4.4-46.SL4
> openafs-client-1.4.4-46.SL4
> kernel-module-openafs-2.6.9-67.0.4.EL-1.4.4-46.SL4
> openafs-compat-1.4.4-46.SL4
> openafs-devel-1.4.4-46.SL4
>=20
> heimdal-tools-0.6.3-11.SL4
> heimdal-0.6.3-11.SL4
> heimdal-devel-0.6.3-11.SL4
> heimdal-lib-0.6.3-11.SL4
> pam_heimdal-1.3-rc7.9
>=20
> and krb5
> openafs-krb5-1.4.4-46.SL4
> pam_krb5-2.1.8-1
> krb5-devel-1.3.4-49
> krb5-workstation-1.3.4-49
> krb5-libs-1.3.4-49
> krb5-auth-dialog-0.2-1
You don't mention the version of ssh. Since we're talking about rather
old software, it could be that you're rediscovering old bugs.
> system-auth
>=20
> auth required /lib/security/$ISA/pam_env.so
> auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok
> #
> auth sufficient /lib/security/$ISA/pam_heimdalafs.so=20
> try_first_pass
> auth required /lib/security/$ISA/pam_deny.so
>=20
> account required /lib/security/$ISA/pam_unix.so
> account sufficient /lib/security/$ISA/pam_succeed_if.so uid < 100=
=20
> quiet
> account required /lib/security/$ISA/pam_permit.so
>=20
> password requisite /lib/security/$ISA/pam_cracklib.so retry=3D3
> password sufficient /lib/security/$ISA/pam_unix.so nullok=20
> use_authtok md5 shadow
> #
> password sufficient /lib/security/pam_heimdalafs.so=20
> try_first_pass
> password required /lib/security/$ISA/pam_deny.so
>=20
> session required /lib/security/$ISA/pam_limits.so
> session required /lib/security/$ISA/pam_unix.so
> #
> session required /lib/security/pam_heimdalafs.so=20
> try_first_pass
Some of these modules accept the "debug" option. In particular, I would
try it on the pam_heimdalafs invocations. To make sense of the results
you'll need to also look at the module's source code.
It looks from the version number as if this might be the sourceforge
module by Bal=E1zs G=E1l. Back when I was using it, I had to fix a few bugs
to make it work. Nowadays you'd probably be better off picking another
module or two. For SL4, I know at least one site that's successfully
using pam_krb5afs.so from pam_krb5-2.2.8-1.3.cern in conjunction with
openssh-4.3p2-4.cern; one needs to invoke pam_krb5afs.so with
"external=3Dsshd" as an argument.
> and I had no problem to login direct or via ssh
> and get afs token.
>=20
> On Friday I installed another machine with openafs,
> krb5 , and kernel update. but the same heimdal and
> system-auth file
>=20
> with updated machine I can login direct and have
> no problem. However when I try to ssh I get
> disconnected and message in the log showes
>=20
> Mar 24 18:58:42 pc26 sshd[9861]: Accepted password for sabah from=20
> ::ffff:194.36. 3.178 port 60142 ssh2
> Mar 24 18:58:42 pc26 sshd[9868]: fatal: PAM: pam_open_session():=20
> Authentication service cannot retrieve user credentials
>=20
>=20
> Has anyone seen this?
> Does anyone know how it could be fixed please?
>=20
>=20
> Many Thanks, Sabah.
>=20
> --=20
> *********************************************************
> * From Sabah Salih *
> * The School of Physics and Astronomy, *
> * The University of Manchester, *
> * Schuster Laboratory, *
> * Brunswick Street, *
> * Manchester M13 9PL. *
> * Tel: +44 1612754171 or x4171 *
> * E-mail: sabah.salih@manchester.ac.uk *
> * *
> *********************************************************
>=20
>=20
>=20