[OpenAFS] pam_afs_session.so is unable to find Kerberos ticket cache file

Holger Rauch holger.rauch@empic.de
Thu, 10 Dec 2009 10:58:30 +0100


--jy6Sn24JjFx/iggw
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

Hi to everybody,

The problem I got is that interactive kinit/aklog combos work
perfectly, but when I try to log in remotely via ssh, the passwordless
login itself works, but a cd to my home dir doesn't occur because
pam_afs_session.so is either not considered or doesn't call aklog. The
exact error messages read as follows:

Could not chdir to home directory /export/home/people/hrauch: Permission de=
nied
-bash: /export/home/people/hrauch/.bash_profile: Permission denied

As it is now, I have to manully invoke kinit && aklog in order to be
able to successfully cd to my home dir. That's exactly what I wanted
to avoid.

I googled but found only the hint that one needs to include
pam_afs_session.so in the PAM session config, which I did.

The above implies that LDAP setup (used for POSIX account info)=20
and MIT Kerberos setup (for password maintenance) are configured correctly.
SSH is setup to forward Kerberos tickets by using these options in
/etc/ssh/ssh_config on the client:

GSSAPIAuthentication yes
GSSAPIDelegateCredentials yes

This happens on a Debian Lenny system with openafs packages installed
=66rom backports.org in order to circumvent some kind of memory
allocation error preventing the openafs kernel module from being loaded.

Here's the list of installed openafs packages obtained via dpkg -l:

=3D=3D=3D

ii  libpam-afs-session         1.7-1                      PAM module
to set up a PAG and obtain AFS tokens
ii  openafs-client             1.4.11+dfsg-5~bpo50+1      AFS
distributed filesystem client support
ii  openafs-krb5               1.4.11+dfsg-5~bpo50+1      AFS
distributed filesystem Kerberos 5 integration
ii  openafs-modules-dkms       1.4.11+dfsg-5~bpo50+1      AFS
distributed filesystem kernel module DKMS source
ii  openafs-modules-source     1.4.11+dfsg-5~bpo50+1      AFS
distributed filesystem kernel module source

=3D=3D=3D

My PAM config (I have a few "fallback" system accounts too, that's why
pam_unix.so is mentioned):

- /etc/pam.d/common-account

=3D=3D=3D

account sufficient      pam_unix.so
account required        pam_ldap.so minimum_uid=3D10000 debug
account required        pam_krb5.so minimum_uid=3D10000 ignore_root debug

=3D=3D=3D

- /etc/pam.d/common-auth

=3D=3D=3D

auth    sufficient        pam_unix.so nullok_secure
auth    sufficient        pam_krb5.so use_first_pass minimum_uid=3D10000
ignore_root debug
auth    optional          pam_afs_session.so program=3D/usr/bin/aklog
auth    required          pam_deny.so

=3D=3D=3D

- /etc/pam.d/common-password

=3D=3D=3D

password sufficient   pam_unix.so nullok obscure md5
password required pam_krb5.so use_first_pass minimum_uid=3D10000
ignore_root debug

=3D=3D=3D

- /etc/pam.d/common-session (I verified the path to aklog)

=3D=3D=3D

session required        pam_limits.so
session required        pam_unix.so
session  optional  pam_krb5.so minimum_uid=3D10000 ignore_root debug
session optional pam_afs_session.so program=3D/usr/bin/aklog debug

=3D=3D=3D

Anything wrong with my PAM config?

/var/log/auth.log tells me:

=3D=3D=3D

Dec 10 10:50:33 pia sshd[15641]: (pam_krb5): hrauch: unable to get
PAM_KRB5CCNAME, assuming non-Kerberos login
Dec 10 10:50:33 pia sshd[15641]: (pam_krb5): none: pam_sm_setcred:
exit (failure)
Dec 10 10:50:33 pia sshd[15641]: (pam_afs_session):
pam_sm_open_session: entry (0x0)
Dec 10 10:50:33 pia sshd[15641]: (pam_afs_session): skipping tokens,
no Kerberos ticket cache
Dec 10 10:50:33 pia sshd[15641]: (pam_afs_session):
pam_sm_open_session: exit (success)

=3D=3D=3D

Now, the obvious question is: How can I tell sshd or pam_krb5.so about
the ticket cache file?

Thanks in advance for any help!

Kind regards,

     Holger
    =20
--jy6Sn24JjFx/iggw
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAksgxkYACgkQbiVtWpZdKQJetQCghSJkx+hWnlKpu0L6vlIOqFXn
3SEAn31LJXICBmlrn5FZOCTFFf80d+WM
=MHlH
-----END PGP SIGNATURE-----

--jy6Sn24JjFx/iggw--