[OpenAFS] pam/openafs
Geoff Ransom
geoffr@cs.umd.edu
Tue, 11 Aug 2009 18:31:41 -0400 (EDT)
Hello
I am trying to set up a 1.4.10 client on RHEL 5 so that it talks to an old
1.2 server and I can aklog to get tickets, but I can't seem to get afk tokens
on login. I expect that I have not set up pam correctly for kerberos 5/4
issues, but am a bit worried that there are issues with talking to such an old
afs server.
When logging in, pam throws the following error...
afs: Tokens for user of AFS id 3555 for cell csic.umd.edu are discarded
(rxkad errror=19270407)
translate_et 19270407
19270407 (rxk).7 = security object was passed a bad ticket
I get the following tickets...
$ klist -e
Ticket cache: FILE:/tmp/krb5cc_3555_KwoBNN
Default principal: geoffr@CSIC.UMD.EDU
Valid starting Expires Service principal
08/11/09 18:16:29 08/12/09 04:16:29 krbtgt/CSIC.UMD.EDU@CSIC.UMD.EDU
renew until 08/11/09 18:16:29, Etype (skey, tkt): DES cbc mode with
CRC-32, Triple DES cbc mode with HMAC/sha1
Kerberos 4 ticket cache: /tmp/tkt3555_9S2HNQ
Principal: geoffr@CSIC.UMD.EDU
Issued Expires Principal
08/11/09 18:16:29 08/12/09 04:16:29 krbtgt.CSIC.UMD.EDU@CSIC.UMD.EDU
I can aklog to get afs tickets once logged in and then I have proper AFS
tokens with permission to access the 1.2 afs server...
[geoffr@invincible /]$ aklog -d
Authenticating to cell csic.umd.edu (server queasy-int.csic.umd.edu).
Trying to authenticate to user's realm CSIC.UMD.EDU.
Getting tickets: afs/csic.umd.edu@CSIC.UMD.EDU
Using Kerberos V5 ticket natively
About to resolve name geoffr to id in cell csic.umd.edu.
Id 3555
Set username to AFS ID 3555
Setting tokens. AFS ID 3555 / @ CSIC.UMD.EDU
[geoffr@invincible /]$ klist -e
Ticket cache: FILE:/tmp/krb5cc_3555_KwoBNN
Default principal: geoffr@CSIC.UMD.EDU
Valid starting Expires Service principal
08/11/09 18:16:29 08/12/09 04:16:29 krbtgt/CSIC.UMD.EDU@CSIC.UMD.EDU
renew until 08/11/09 18:16:29, Etype (skey, tkt): DES cbc mode with
CRC-32, Triple DES cbc mode with HMAC/sha1
08/11/09 18:18:32 08/12/09 04:16:29 afs/csic.umd.edu@CSIC.UMD.EDU
renew until 08/11/09 18:16:29, Etype (skey, tkt): DES cbc mode with
CRC-32, DES cbc mode with CRC-32
Kerberos 4 ticket cache: /tmp/tkt3555_9S2HNQ
Principal: geoffr@CSIC.UMD.EDU
Issued Expires Principal
08/11/09 18:16:29 08/12/09 04:16:29 krbtgt.CSIC.UMD.EDU@CSIC.UMD.EDU
I have played with different options, but currently have...
auth sufficient pam_krb5afs.so debug use_first_pass tokens=true krb4_convert=true
in /etc/pam.d/system-auth. /etc/krb5.conf contains...
[appdefaults]
pam = {
debug = true
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = true
krb4_convert_524 = true
krb4_use_as_req = true
addressless = true
afs_cells = csic.umd.edu
}
Can anyone suggest what the problem might be or point me at some good
documentation on pam/afs/krb that might help?
I just saw that 1.4.11 has come out since I last downloaded openafs and will
be trying it out. I have not had a chance to look over the changes to see if
anything that might have affected my situation has changed.
Thanks for any help or suggestions.
-Geoff