[OpenAFS] pam_afs_session on Fedora 11 clients with kerberos authentication (FreeIPA)

Mauricio Villarroel villarroel.mauricio@gmail.com
Thu, 3 Sep 2009 12:59:41 -0400 

--0003255528e2471b440472af4fd3
Content-Type: text/plain; charset=ISO-8859-1

Hi all,

I thought sharing our experience would save time for others. Please, correct
it / update it if you find mistakes or other better ways to perform this
procedure.

Goal: Have AFS clients access their home directories at login time.

Problem: Clients were not getting the correct AFS token at login time

Our servers:

    * OpenAFS 1.4.11-1
    * FreeIPA 1.2.1

    FreeIPA nicely integrates MIT's Kerberos, LDAP and other resource into
one package, makes our live much easier. Check http://www.freeipa.org for
more info

Clients:

    * Fedora 11 x86_64  (kernel 2.6.29.6-217.2.16)
    * pam_afs_session 1.7
    * OpenAFS 1.4.11-1
    * FreeIPA 1.2.1

I will not cover the installation of a freeIPA client, refer to their
documentation as it worked for me out of the box without any modifications.


1. The following is just a minor note about kmod-openafs package:
---------------------------------------------

The openafs repository doesn't keep up with the rate of update of the Fedora
kernel and other packages, at the time of installation, the latest Fedora 11
kernel was 2.6.29.6-217.2.16 , but the available kmod-openafs was just
kernel 2.6.29.6_217.2.8  .  It would be nice to include the openafs packages
directly into the main fedora repositories, is someone looking into this?

Any way, it is very easy to generate a kmod package for your new kernel
(considering that your new kernel does not break backwards compatibility
:-). In a separate development machine, download the openafs source rpm
package:

$ wget http://dl.openafs.org/dl/openafs/1.4.11/openafs-1.4.11-1.1.1.src.rpm
$ rpmbuild --rebuild openafs-1.4.11-1.1.1.src.rpm

And then, I got my latest package at:
~/rpmbuild/RPMS/x86_64/kmod-openafs-1.4.11-1.1.2.6.29.6_217.2.16.fc11.x86_64.rpm
---------------------------------------------


2. Install the openafs client packages:
---------------------------------------------

Install the openafs repository:

$ rpm -ivh
http://dl.openafs.org/dl/openafs/1.4.11/openafs-repository-1.4.11-1.noarch.rpm

As the openafs documentation, install the needed packages (substitute for
your version of the kmod package):

$ yum install openafs-client openafs-krb5 openafs openafs-devel
kmod-openafs-1.4.11-1.1.2.6.29.6_217.2.16.fc11.x86_64


3. pam_afs_session:
---------------------------------------------

pam_afs_session worked without problems in our end. Is there a plan to merge
it into the main openafs-client codebase?

As the documentation says, get the latest package:

$ wget http://archives.eyrie.org/software/afs/pam-afs-session-1.7.tar.gz

Uncompress, compile and install it into the main directory for system
libraries (/lib64):

$ tar -zxvf pam-afs-session-1.7.tar.gz
$ cd pam-afs-session-1.7
$ ./configure
$ make
$ cp pam_afs_session.so /lib64/security/pam_afs_session.so
$ chmod 755 /lib64/security/pam_afs_session.so

4. PAM and AFS tokens
---------------------------------------------

This was kind of tricky. Our students had no problems login into the
workstations with their kerberos credentials, the problem was that they were
not getting their AFS tokens at login time, neither when they login into
their graphical environment, nor when using ssh. Actually, pam_open_session
or pam_setcred was getting correctly the tokens, but they were destroyed
before the user gets a usable BASH or KDM session.

Part of my "/etc/krb5.conf" file contains:

    [appdefaults]
    pam = {
      debug = false
      ticket_lifetime = 36000
      renew_lifetime = 36000
      forwardable = true
      krb4_convert = false
      ignore_root = true
      ignore_afs = true
    }
    pam-afs-session = {
      minimum_uid = 100
      ignore_root = true
    }

I had to put " ignore_afs = true", because otherwise pam_krb5 was trying to
contact the afs server with different versions of kerberos tickets, part of
my log files showed things such as:

----------  /var/log/secure -----------------------------

      pam_krb5[15768]: trying with v4 ticket
      ...
      ...
      pam_krb5[15768]: v4 afslog failed to "ecg.mit.edu"
      pam_krb5[15768]: trying with v5 ticket and 524 service
      ...
      ...
      pam_krb5[15768]: got error -1765328228 (Cannot contact any KDC for
requested realm) converting v5 creds to v4 for "ecg.mit.edu"
      ...
      ...
      pam_krb5[15768]: attempting to obtain tokens for "ecg.mit.edu" ("afsx/
ecg.mit.edu@ECG.MIT.EDU")
      pam_krb5[15768]: error obtaining credentials for 'afsx/ecg.mit.edu@
ECG.MIT.EDU' (enctype=1)
      ...
      ...
      pam_krb5[15768]: v5 with 524 service afslog failed to "ecg.mit.edu"
      ...
      ...
      pam_krb5[15768]: trying with v5 ticket (2b)
      pam_krb5[15768]: attempting to obtain tokens for "ecg.mit.edu" ("afs/
ecg.mit.edu@ECG.MIT.EDU")
      pam_krb5[15768]: got tokens for cell "ecg.mit.edu"
      pam_krb5[15768]: no additional afs cells configured

------------------------------------------------

We were just using kerberos 5, so we didn't need the extra


My complete "/etc/pam.d/system-auth" file contained:

      #%PAM-1.0
      # This file is auto-generated.
      # User changes will be destroyed the next time authconfig is run.
      auth        required      pam_env.so
      auth  [success=ok default=1 user_unknown=ignore]  pam_krb5.so
try_first_pass
      auth  [default=done]      pam_afs_session.so
      auth        required      pam_unix.so nullok use_first_pass
      auth        requisite     pam_succeed_if.so uid >= 500 quiet
      auth        required      pam_deny.so

      account     required      pam_unix.so broken_shadow
      account     sufficient    pam_localuser.so
      account     sufficient    pam_succeed_if.so uid < 500 quiet
      account     [default=bad success=ok user_unknown=ignore] pam_krb5.so
      account     required      pam_permit.so
      account     required      pam_access.so

      password    requisite     pam_cracklib.so try_first_pass retry=3
      password    sufficient    pam_krb5.so use_authtok
      password    sufficient    pam_unix.so sha512 shadow nullok
try_first_pass use_authtok
      password    required      pam_deny.so

      session     optional      pam_keyinit.so revoke
      session     required      pam_limits.so
      session     [success=1 default=ignore] pam_succeed_if.so service in
crond quiet use_uid
      session     optional      pam_krb5.so
      session     optional      pam_afs_session.so
      session     required      pam_unix.so


Reading the pam_afs_session, I realized that it has to be pam_keyinit.. I
thought the settings in system-auth should be fine, but then in
"/etc/pam.d/sshd"  I found:

      session    optional     pam_keyinit.so force revoke
      session    include      system-auth

Why forcing?, in fact, pam_keyinit was being called twice: by sshd and
system-auth but  When I commented out that line, everything worked fine,
users got their tokens at login time, the same happens in the pam files:
xdm, kdm.  I am not sure about the implications in Fedora of removing the
"pam_keyinit.so force revoke", does some one know?



Mauro

--0003255528e2471b440472af4fd3
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable

Hi all,<br><br>I thought sharing our experience would save time for others.=
 Please, correct it / update it if you find mistakes or other better ways t=
o perform this procedure.<br><br>Goal: Have AFS clients access their home d=
irectories at login time. <br>
<br>Problem: Clients were not getting the correct AFS token at login time<b=
r><br>Our servers:<br><br>=A0=A0=A0 * OpenAFS 1.4.11-1<br>=A0=A0=A0 * FreeI=
PA 1.2.1<br><br>=A0=A0=A0 FreeIPA nicely integrates MIT&#39;s Kerberos, LDA=
P and other resource into one package,  makes our live much easier. Check <=
a href=3D"http://www.freeipa.org">http://www.freeipa.org</a> for more info<=
br>
<br>Clients:<br><br>=A0=A0=A0 * Fedora 11 x86_64=A0 (kernel 2.6.29.6-217.2.=
16)<br>=A0=A0=A0 * pam_afs_session 1.7<br>=A0=A0=A0 * OpenAFS 1.4.11-1<br>=
=A0=A0=A0 * FreeIPA 1.2.1<br><br>I will not cover the installation of a fre=
eIPA client, refer to their documentation as it worked for me out of the bo=
x without any modifications.<br>
<br><br>1. The following is just a minor note about kmod-openafs package:<b=
r>---------------------------------------------<br><br>The openafs reposito=
ry doesn&#39;t keep up with the rate of update of the Fedora kernel and oth=
er packages, at the time of installation, the latest Fedora 11 kernel was 2=
.6.29.6-217.2.16 , but the available kmod-openafs was just kernel 2.6.29.6_=
217.2.8=A0 .=A0 It would be nice to include the openafs packages directly i=
nto the main fedora repositories, is someone looking into this?<br>
<br>Any way, it is very easy to generate a kmod package for your new kernel=
 (considering that your new kernel does not break backwards compatibility :=
-). In a separate development machine, download  the openafs source rpm pac=
kage:<br>
<br>$ wget <a href=3D"http://dl.openafs.org/dl/openafs/1.4.11/openafs-1.4.1=
1-1.1.1.src.rpm">http://dl.openafs.org/dl/openafs/1.4.11/openafs-1.4.11-1.1=
.1.src.rpm</a><br>$ rpmbuild --rebuild openafs-1.4.11-1.1.1.src.rpm<br><br>
And then, I got my latest package at:=A0=A0=A0=A0=A0=A0 ~/rpmbuild/RPMS/x86=
_64/kmod-openafs-1.4.11-1.1.2.6.29.6_217.2.16.fc11.x86_64.rpm<br>----------=
-----------------------------------<br><br><br>2. Install the openafs clien=
t packages:<br>
---------------------------------------------<br><br>Install the openafs re=
pository:<br><br>$ rpm -ivh <a href=3D"http://dl.openafs.org/dl/openafs/1.4=
.11/openafs-repository-1.4.11-1.noarch.rpm">http://dl.openafs.org/dl/openaf=
s/1.4.11/openafs-repository-1.4.11-1.noarch.rpm</a><br>
<br>As the openafs documentation, install  the needed packages (substitute =
for your version of the kmod package):<br><br>$ yum install openafs-client =
openafs-krb5 openafs openafs-devel  kmod-openafs-1.4.11-1.1.2.6.29.6_217.2.=
16.fc11.x86_64<br>
<br><br>3. pam_afs_session:<br>--------------------------------------------=
-<br><br>pam_afs_session worked without problems in our end. Is there a pla=
n to merge it into the main openafs-client codebase?<br><br>As the document=
ation says, get the latest package:<br>
<br>$ wget <a href=3D"http://archives.eyrie.org/software/afs/pam-afs-sessio=
n-1.7.tar.gz">http://archives.eyrie.org/software/afs/pam-afs-session-1.7.ta=
r.gz</a><br><br>Uncompress, compile and install it into the main directory =
for system libraries (/lib64):<br>
<br>$ tar -zxvf pam-afs-session-1.7.tar.gz<br>$ cd pam-afs-session-1.7<br>$=
 ./configure<br>$ make<br>$ cp pam_afs_session.so /lib64/security/pam_afs_s=
ession.so<br>$ chmod 755 /lib64/security/pam_afs_session.so<br><br>4. PAM a=
nd AFS tokens<br>
---------------------------------------------<br><br>This was kind of trick=
y. Our students had no problems login into the workstations with their kerb=
eros credentials, the problem was that they were not getting their AFS toke=
ns at login time, neither when they login into their graphical environment,=
 nor when using ssh. Actually, pam_open_session or pam_setcred was getting =
correctly the tokens, but they were destroyed before the user gets a usable=
 BASH or KDM session. <br>
<br>Part of my &quot;/etc/krb5.conf&quot; file contains:<br><br>=A0=A0=A0 [=
appdefaults]<br>=A0=A0=A0 pam =3D {<br>=A0=A0=A0 =A0 debug =3D false<br>=A0=
=A0=A0 =A0 ticket_lifetime =3D 36000<br>=A0=A0=A0 =A0 renew_lifetime =3D 36=
000<br>=A0=A0=A0 =A0 forwardable =3D true<br>=A0=A0=A0 =A0 krb4_convert =3D=
 false<br>
=A0=A0=A0 =A0 ignore_root =3D true<br>=A0=A0=A0 =A0 ignore_afs =3D true<br>=
=A0=A0=A0 }<br>=A0=A0=A0 pam-afs-session =3D {<br>=A0=A0=A0 =A0 minimum_uid=
 =3D 100<br>=A0=A0=A0 =A0 ignore_root =3D true<br>=A0=A0=A0 }<br><br>I had =
to put &quot; ignore_afs =3D true&quot;, because otherwise pam_krb5 was try=
ing to contact the afs server with different versions of kerberos tickets, =
part of my log files showed things such as:<br>
<br>----------=A0 /var/log/secure -----------------------------<br><br>=A0=
=A0=A0=A0=A0 pam_krb5[15768]: trying with v4 ticket<br>=A0=A0=A0=A0=A0 ...<=
br>=A0=A0=A0=A0=A0 ...<br>=A0=A0=A0=A0=A0 pam_krb5[15768]: v4 afslog failed=
 to &quot;<a href=3D"http://ecg.mit.edu">ecg.mit.edu</a>&quot;<br>
=A0=A0=A0=A0=A0 pam_krb5[15768]: trying with v5 ticket and 524 service<br>=
=A0=A0=A0=A0=A0 ...<br>=A0=A0=A0=A0=A0 ...<br>=A0=A0=A0=A0=A0 pam_krb5[1576=
8]: got error -1765328228 (Cannot contact any KDC for requested realm) conv=
erting v5 creds to v4 for &quot;<a href=3D"http://ecg.mit.edu">ecg.mit.edu<=
/a>&quot;<br>
=A0=A0=A0=A0=A0 ...<br>=A0=A0=A0=A0=A0 ...<br>=A0=A0=A0=A0=A0 pam_krb5[1576=
8]: attempting to obtain tokens for &quot;<a href=3D"http://ecg.mit.edu">ec=
g.mit.edu</a>&quot; (&quot;afsx/<a href=3D"http://ecg.mit.edu">ecg.mit.edu<=
/a>@<a href=3D"http://ECG.MIT.EDU">ECG.MIT.EDU</a>&quot;)<br>
=A0=A0=A0=A0=A0 pam_krb5[15768]: error obtaining credentials for &#39;afsx/=
<a href=3D"http://ecg.mit.edu">ecg.mit.edu</a>@<a href=3D"http://ECG.MIT.ED=
U">ECG.MIT.EDU</a>&#39; (enctype=3D1)<br>=A0=A0=A0=A0=A0 ...<br>=A0=A0=A0=
=A0=A0 ...<br>=A0=A0=A0=A0=A0 pam_krb5[15768]: v5 with 524 service afslog f=
ailed to &quot;<a href=3D"http://ecg.mit.edu">ecg.mit.edu</a>&quot;<br>
=A0=A0=A0=A0=A0 ...<br>=A0=A0=A0=A0=A0 ...<br>=A0=A0=A0=A0=A0 pam_krb5[1576=
8]: trying with v5 ticket (2b)<br>=A0=A0=A0=A0=A0 pam_krb5[15768]: attempti=
ng to obtain tokens for &quot;<a href=3D"http://ecg.mit.edu">ecg.mit.edu</a=
>&quot; (&quot;afs/<a href=3D"http://ecg.mit.edu">ecg.mit.edu</a>@<a href=
=3D"http://ECG.MIT.EDU">ECG.MIT.EDU</a>&quot;)<br>
=A0=A0=A0=A0=A0 pam_krb5[15768]: got tokens for cell &quot;<a href=3D"http:=
//ecg.mit.edu">ecg.mit.edu</a>&quot;<br>=A0=A0=A0=A0=A0 pam_krb5[15768]: no=
 additional afs cells configured<br><br>-----------------------------------=
-------------<br><br>
We were just using kerberos 5, so we didn&#39;t need the extra <br><br><br>=
My complete &quot;/etc/pam.d/system-auth&quot; file contained:<br><br> =A0=
=A0=A0=A0=A0 #%PAM-1.0<br>=A0=A0=A0=A0=A0 # This file is auto-generated.<br=
>=A0=A0=A0=A0=A0 # User changes will be destroyed the next time authconfig =
is run.<br>
=A0=A0=A0=A0=A0 auth=A0=A0=A0=A0=A0=A0=A0 required=A0=A0=A0=A0=A0 pam_env.s=
o<br>=A0=A0=A0=A0=A0 auth=A0 [success=3Dok default=3D1 user_unknown=3Dignor=
e]=A0 pam_krb5.so try_first_pass<br>=A0=A0=A0=A0=A0 auth=A0 [default=3Ddone=
]=A0=A0=A0=A0=A0 pam_afs_session.so<br>=A0=A0=A0=A0=A0 auth=A0=A0=A0=A0=A0=
=A0=A0 required=A0=A0=A0=A0=A0 pam_unix.so nullok use_first_pass<br>
=A0=A0=A0=A0=A0 auth=A0=A0=A0=A0=A0=A0=A0 requisite=A0=A0=A0=A0 pam_succeed=
_if.so uid &gt;=3D 500 quiet<br>=A0=A0=A0=A0=A0 auth=A0=A0=A0=A0=A0=A0=A0 r=
equired=A0=A0=A0=A0=A0 pam_deny.so<br><br>=A0=A0=A0=A0=A0 account=A0=A0=A0=
=A0 required=A0=A0=A0=A0=A0 pam_unix.so broken_shadow<br>=A0=A0=A0=A0=A0 ac=
count=A0=A0=A0=A0 sufficient=A0=A0=A0 pam_localuser.so<br>
=A0=A0=A0=A0=A0 account=A0=A0=A0=A0 sufficient=A0=A0=A0 pam_succeed_if.so u=
id &lt; 500 quiet<br>=A0=A0=A0=A0=A0 account=A0=A0=A0=A0 [default=3Dbad suc=
cess=3Dok user_unknown=3Dignore] pam_krb5.so<br>=A0=A0=A0=A0=A0 account=A0=
=A0=A0=A0 required=A0=A0=A0=A0=A0 pam_permit.so<br>=A0=A0=A0=A0=A0 account=
=A0=A0=A0=A0 required=A0=A0=A0=A0=A0 pam_access.so<br>
<br>=A0=A0=A0=A0=A0 password=A0=A0=A0 requisite=A0=A0=A0=A0 pam_cracklib.so=
 try_first_pass retry=3D3<br>=A0=A0=A0=A0=A0 password=A0=A0=A0 sufficient=
=A0=A0=A0 pam_krb5.so use_authtok<br>=A0=A0=A0=A0=A0 password=A0=A0=A0 suff=
icient=A0=A0=A0 pam_unix.so sha512 shadow nullok try_first_pass use_authtok=
<br>
=A0=A0=A0=A0=A0 password=A0=A0=A0 required=A0=A0=A0=A0=A0 pam_deny.so<br><b=
r>=A0=A0=A0=A0=A0 session=A0=A0=A0=A0 optional=A0=A0=A0=A0=A0 pam_keyinit.s=
o revoke<br>=A0=A0=A0=A0=A0 session=A0=A0=A0=A0 required=A0=A0=A0=A0=A0 pam=
_limits.so<br>=A0=A0=A0=A0=A0 session=A0=A0=A0=A0 [success=3D1 default=3Dig=
nore] pam_succeed_if.so service in crond quiet use_uid<br>
=A0=A0=A0=A0=A0 session=A0=A0=A0=A0 optional=A0=A0=A0=A0=A0 pam_krb5.so<br>=
=A0=A0=A0=A0=A0 session=A0=A0=A0=A0 optional=A0=A0=A0=A0=A0 pam_afs_session=
.so<br>=A0=A0=A0=A0=A0 session=A0=A0=A0=A0 required=A0=A0=A0=A0=A0 pam_unix=
.so<br><br><br>Reading the pam_afs_session, I realized that it has to be pa=
m_keyinit.. I thought the settings in system-auth should be fine, but then =
in &quot;/etc/pam.d/sshd&quot;=A0 I found:<br>
<br>=A0=A0=A0=A0=A0 session=A0=A0=A0 optional=A0=A0=A0=A0 pam_keyinit.so fo=
rce revoke<br>=A0=A0=A0=A0=A0 session=A0=A0=A0 include=A0=A0=A0=A0=A0 syste=
m-auth<br><br>Why forcing?, in fact, pam_keyinit was being called twice: by=
 sshd and system-auth but=A0 When I commented out that line, everything wor=
ked fine, users got their tokens at login time, the same happens in the pam=
 files: xdm, kdm.=A0 I am not sure about the implications in Fedora of remo=
ving the &quot;pam_keyinit.so force revoke&quot;, does some one know?<br>
<br><br><br>Mauro<br>

--0003255528e2471b440472af4fd3--