[OpenAFS] Re: pam_afs_session.so is unable to find Kerberos ticket cache file

Holger Rauch holger.rauch@empic.de
Thu, 10 Dec 2009 11:26:08 +0100 

--17pEHd4RhPHOinZp
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

Rehi,

replying to my own mail since I came accross this link:

http://www.mail-archive.com/kerberos@mit.edu/msg12283.html

The relevant excerpt from the mail:

=3D=3D=3D

If you're doing GSSAPI authentication to sshd, this is normal, since
sshd does ticket cache setup itself in that case and pam_krb5 doesn't
need to do anything.

=3D=3D=3D

So, the question is: can pam_afs_session.so (or aklog invoked by
pam_afs_session.so) use the ticket cache of sshd and how?

Thanks in advance & kind regards,

       Holger

On Thu, 10 Dec 2009, Holger Rauch wrote:

> Hi to everybody,
>=20
> The problem I got is that interactive kinit/aklog combos work
> perfectly, but when I try to log in remotely via ssh, the passwordless
> login itself works, but a cd to my home dir doesn't occur because
> pam_afs_session.so is either not considered or doesn't call aklog. The
> exact error messages read as follows:
>=20
> Could not chdir to home directory /export/home/people/hrauch: Permission =
denied
> -bash: /export/home/people/hrauch/.bash_profile: Permission denied
>=20
> As it is now, I have to manully invoke kinit && aklog in order to be
> able to successfully cd to my home dir. That's exactly what I wanted
> to avoid.
>=20
> I googled but found only the hint that one needs to include
> pam_afs_session.so in the PAM session config, which I did.
>=20
> The above implies that LDAP setup (used for POSIX account info)=20
> and MIT Kerberos setup (for password maintenance) are configured correctl=
y.
> SSH is setup to forward Kerberos tickets by using these options in
> /etc/ssh/ssh_config on the client:
>=20
> GSSAPIAuthentication yes
> GSSAPIDelegateCredentials yes
>=20
> This happens on a Debian Lenny system with openafs packages installed
> from backports.org in order to circumvent some kind of memory
> allocation error preventing the openafs kernel module from being loaded.
>=20
> Here's the list of installed openafs packages obtained via dpkg -l:
>=20
> =3D=3D=3D
>=20
> ii  libpam-afs-session         1.7-1                      PAM module
> to set up a PAG and obtain AFS tokens
> ii  openafs-client             1.4.11+dfsg-5~bpo50+1      AFS
> distributed filesystem client support
> ii  openafs-krb5               1.4.11+dfsg-5~bpo50+1      AFS
> distributed filesystem Kerberos 5 integration
> ii  openafs-modules-dkms       1.4.11+dfsg-5~bpo50+1      AFS
> distributed filesystem kernel module DKMS source
> ii  openafs-modules-source     1.4.11+dfsg-5~bpo50+1      AFS
> distributed filesystem kernel module source
>=20
> =3D=3D=3D
>=20
> My PAM config (I have a few "fallback" system accounts too, that's why
> pam_unix.so is mentioned):
>=20
> - /etc/pam.d/common-account
>=20
> =3D=3D=3D
>=20
> account sufficient      pam_unix.so
> account required        pam_ldap.so minimum_uid=3D10000 debug
> account required        pam_krb5.so minimum_uid=3D10000 ignore_root debug
>=20
> =3D=3D=3D
>=20
> - /etc/pam.d/common-auth
>=20
> =3D=3D=3D
>=20
> auth    sufficient        pam_unix.so nullok_secure
> auth    sufficient        pam_krb5.so use_first_pass minimum_uid=3D10000
> ignore_root debug
> auth    optional          pam_afs_session.so program=3D/usr/bin/aklog
> auth    required          pam_deny.so
>=20
> =3D=3D=3D
>=20
> - /etc/pam.d/common-password
>=20
> =3D=3D=3D
>=20
> password sufficient   pam_unix.so nullok obscure md5
> password required pam_krb5.so use_first_pass minimum_uid=3D10000
> ignore_root debug
>=20
> =3D=3D=3D
>=20
> - /etc/pam.d/common-session (I verified the path to aklog)
>=20
> =3D=3D=3D
>=20
> session required        pam_limits.so
> session required        pam_unix.so
> session  optional  pam_krb5.so minimum_uid=3D10000 ignore_root debug
> session optional pam_afs_session.so program=3D/usr/bin/aklog debug
>=20
> =3D=3D=3D
>=20
> Anything wrong with my PAM config?
>=20
> /var/log/auth.log tells me:
>=20
> =3D=3D=3D
>=20
> Dec 10 10:50:33 pia sshd[15641]: (pam_krb5): hrauch: unable to get
> PAM_KRB5CCNAME, assuming non-Kerberos login
> Dec 10 10:50:33 pia sshd[15641]: (pam_krb5): none: pam_sm_setcred:
> exit (failure)
> Dec 10 10:50:33 pia sshd[15641]: (pam_afs_session):
> pam_sm_open_session: entry (0x0)
> Dec 10 10:50:33 pia sshd[15641]: (pam_afs_session): skipping tokens,
> no Kerberos ticket cache
> Dec 10 10:50:33 pia sshd[15641]: (pam_afs_session):
> pam_sm_open_session: exit (success)
>=20
> =3D=3D=3D
>=20
> Now, the obvious question is: How can I tell sshd or pam_krb5.so about
> the ticket cache file?
>=20
> Thanks in advance for any help!
>=20
> Kind regards,
>=20
>      Holger
>     =20


--
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
Holger Rauch
Entwicklung Anwendungs-Software
Systemadministration UNIX

Tel.: +49 / 9131 / 877 - 141
Fax: +49 / 9131 / 877 - 266
Email: Holger.Rauch@empic.de
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D

--17pEHd4RhPHOinZp
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAksgzL8ACgkQbiVtWpZdKQITLwCfXhxKo3CRCn3zBwmF4iWBvwwc
QGgAoIimEvk04Zlh1ydDi52KXoQwypbU
=EliM
-----END PGP SIGNATURE-----

--17pEHd4RhPHOinZp--