[OpenAFS] Re: pam_afs_session.so is unable to find Kerberos ticket cache file

Holger Rauch holger.rauch@empic.de
Thu, 10 Dec 2009 12:08:48 +0100 

--Nq2Wo0NMKNjxTN9z
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

Ok, again replying to my mail. I found this link:

http://www.eyrie.org/~eagle/software/pam-afs-session/docs.html

and added the two options always_aklog aklog_homedir to the line

session optional pam_afs_session.so always_aklog aklog_homedir program=3D/u=
sr/bin/aklog debug

in /etc/pam.d/common-session. But I face the permission denied problem
nevertheless.

The more complete log output of /var/log/auth.log:

=3D=3D=3D

Dec 10 11:46:31 pia sshd[15877]: nss_ldap: reconnected to LDAP server
ldaps://prag-old.er.heitec.net after 1 attempt
Dec 10 11:46:31 pia sshd[15877]: Authorized to hrauch, krb5 principal
hrauch@ER.HEITEC.NET (krb5_kuserok)
Dec 10 11:46:31 pia sshd[15877]: Accepted gssapi-with-mic for hrauch
=66rom 10.64.80.14 port 49823 ssh2
Dec 10 11:46:31 pia sshd[15877]: pam_unix(sshd:session): session
opened for user hrauch by (uid=3D0)
Dec 10 11:46:31 pia sshd[15877]: (pam_krb5): none: pam_sm_setcred:
entry (0x2)
Dec 10 11:46:31 pia sshd[15877]: (pam_krb5): none: no context found,
creating one
Dec 10 11:46:31 pia sshd[15877]: (pam_krb5): hrauch: unable to get
PAM_KRB5CCNAME, assuming non-Kerberos login
Dec 10 11:46:31 pia sshd[15877]: (pam_krb5): none: pam_sm_setcred:
exit (failure)
Dec 10 11:46:31 pia sshd[15877]: (pam_afs_session):
pam_sm_open_session: entry (0x0)
Dec 10 11:46:31 pia sshd[15877]: (pam_afs_session): passing -p
/export/home/people/hrauch to aklog
Dec 10 11:46:31 pia sshd[15877]: (pam_afs_session): running
/usr/bin/aklog as UID 10006
Dec 10 11:46:31 pia sshd[15877]: (pam_afs_session):
pam_sm_open_session: exit (success)

=3D=3D=3D

Anything suspicious in there?

Thanks again & kind regards,

       Holger

On Thu, 10 Dec 2009, Holger Rauch wrote:

> Rehi,
>=20
> replying to my own mail since I came accross this link:
>=20
> http://www.mail-archive.com/kerberos@mit.edu/msg12283.html
>=20
> The relevant excerpt from the mail:
>=20
> =3D=3D=3D
>=20
> If you're doing GSSAPI authentication to sshd, this is normal, since
> sshd does ticket cache setup itself in that case and pam_krb5 doesn't
> need to do anything.
>=20
> =3D=3D=3D
>=20
> So, the question is: can pam_afs_session.so (or aklog invoked by
> pam_afs_session.so) use the ticket cache of sshd and how?
>=20
> Thanks in advance & kind regards,
>=20
>        Holger
>=20
> On Thu, 10 Dec 2009, Holger Rauch wrote:
>=20
> > Hi to everybody,
> >=20
> > The problem I got is that interactive kinit/aklog combos work
> > perfectly, but when I try to log in remotely via ssh, the passwordless
> > login itself works, but a cd to my home dir doesn't occur because
> > pam_afs_session.so is either not considered or doesn't call aklog. The
> > exact error messages read as follows:
> >=20
> > Could not chdir to home directory /export/home/people/hrauch: Permissio=
n denied
> > -bash: /export/home/people/hrauch/.bash_profile: Permission denied
> >=20
> > As it is now, I have to manully invoke kinit && aklog in order to be
> > able to successfully cd to my home dir. That's exactly what I wanted
> > to avoid.
> >=20
> > I googled but found only the hint that one needs to include
> > pam_afs_session.so in the PAM session config, which I did.
> >=20
> > The above implies that LDAP setup (used for POSIX account info)=20
> > and MIT Kerberos setup (for password maintenance) are configured correc=
tly.
> > SSH is setup to forward Kerberos tickets by using these options in
> > /etc/ssh/ssh_config on the client:
> >=20
> > GSSAPIAuthentication yes
> > GSSAPIDelegateCredentials yes
> >=20
> > This happens on a Debian Lenny system with openafs packages installed
> > from backports.org in order to circumvent some kind of memory
> > allocation error preventing the openafs kernel module from being loaded.
> >=20
> > Here's the list of installed openafs packages obtained via dpkg -l:
> >=20
> > =3D=3D=3D
> >=20
> > ii  libpam-afs-session         1.7-1                      PAM module
> > to set up a PAG and obtain AFS tokens
> > ii  openafs-client             1.4.11+dfsg-5~bpo50+1      AFS
> > distributed filesystem client support
> > ii  openafs-krb5               1.4.11+dfsg-5~bpo50+1      AFS
> > distributed filesystem Kerberos 5 integration
> > ii  openafs-modules-dkms       1.4.11+dfsg-5~bpo50+1      AFS
> > distributed filesystem kernel module DKMS source
> > ii  openafs-modules-source     1.4.11+dfsg-5~bpo50+1      AFS
> > distributed filesystem kernel module source
> >=20
> > =3D=3D=3D
> >=20
> > My PAM config (I have a few "fallback" system accounts too, that's why
> > pam_unix.so is mentioned):
> >=20
> > - /etc/pam.d/common-account
> >=20
> > =3D=3D=3D
> >=20
> > account sufficient      pam_unix.so
> > account required        pam_ldap.so minimum_uid=3D10000 debug
> > account required        pam_krb5.so minimum_uid=3D10000 ignore_root deb=
ug
> >=20
> > =3D=3D=3D
> >=20
> > - /etc/pam.d/common-auth
> >=20
> > =3D=3D=3D
> >=20
> > auth    sufficient        pam_unix.so nullok_secure
> > auth    sufficient        pam_krb5.so use_first_pass minimum_uid=3D10000
> > ignore_root debug
> > auth    optional          pam_afs_session.so program=3D/usr/bin/aklog
> > auth    required          pam_deny.so
> >=20
> > =3D=3D=3D
> >=20
> > - /etc/pam.d/common-password
> >=20
> > =3D=3D=3D
> >=20
> > password sufficient   pam_unix.so nullok obscure md5
> > password required pam_krb5.so use_first_pass minimum_uid=3D10000
> > ignore_root debug
> >=20
> > =3D=3D=3D
> >=20
> > - /etc/pam.d/common-session (I verified the path to aklog)
> >=20
> > =3D=3D=3D
> >=20
> > session required        pam_limits.so
> > session required        pam_unix.so
> > session  optional  pam_krb5.so minimum_uid=3D10000 ignore_root debug
> > session optional pam_afs_session.so program=3D/usr/bin/aklog debug
> >=20
> > =3D=3D=3D
> >=20
> > Anything wrong with my PAM config?
> >=20
> > /var/log/auth.log tells me:
> >=20
> > =3D=3D=3D
> >=20
> > Dec 10 10:50:33 pia sshd[15641]: (pam_krb5): hrauch: unable to get
> > PAM_KRB5CCNAME, assuming non-Kerberos login
> > Dec 10 10:50:33 pia sshd[15641]: (pam_krb5): none: pam_sm_setcred:
> > exit (failure)
> > Dec 10 10:50:33 pia sshd[15641]: (pam_afs_session):
> > pam_sm_open_session: entry (0x0)
> > Dec 10 10:50:33 pia sshd[15641]: (pam_afs_session): skipping tokens,
> > no Kerberos ticket cache
> > Dec 10 10:50:33 pia sshd[15641]: (pam_afs_session):
> > pam_sm_open_session: exit (success)
> >=20
> > =3D=3D=3D
> >=20
> > Now, the obvious question is: How can I tell sshd or pam_krb5.so about
> > the ticket cache file?
> >=20
> > Thanks in advance for any help!
> >=20
> > Kind regards,
> >=20
> >      Holger
> >     =20
>=20
>=20
> --
> =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
> Holger Rauch
> Entwicklung Anwendungs-Software
> Systemadministration UNIX
>=20
> Tel.: +49 / 9131 / 877 - 141
> Fax: +49 / 9131 / 877 - 266
> Email: Holger.Rauch@empic.de
> =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D


--
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
Holger Rauch
Entwicklung Anwendungs-Software
Systemadministration UNIX

Tel.: +49 / 9131 / 877 - 141
Fax: +49 / 9131 / 877 - 266
Email: Holger.Rauch@empic.de
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D

--Nq2Wo0NMKNjxTN9z
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAksg1sAACgkQbiVtWpZdKQIkEgCghnHyoJf3ftQCdtJ+X+bsW8ti
wV4An2z6I+g9mtN9Cte8J1h06uExKBvX
=EdDI
-----END PGP SIGNATURE-----

--Nq2Wo0NMKNjxTN9z--