[OpenAFS] Openafs Client with pam krb5 and ldap
Claudio Prono
claudio.prono@atpss.net
Fri, 01 Oct 2010 18:31:40 +0200
Claudio Prono ha scritto:
> Douglas E. Engert ha scritto:
>
>> On 10/1/2010 10:46 AM, Claudio Prono wrote:
>>
>>> Hello all,
>>>
>>> I am searching someone experienced with an openafs-client with pam,
>>> kerberos and ldap.
>>>
>> What OS?
>>
>>
> Is an OpenSuse 11.3
>
>>> I am trying to use a single signon to a linux client with afs (shell
>>> user, no local user). I have setted up pam with krb5 and afs, with this
>>> configs:
>>>
>>> /etc/pam.d/common-auth
>>>
>>> auth required pam_env.so
>>> auth optional pam_gnome_keyring.so
>>> auth sufficient pam_unix2.so
>>> auth sufficient pam_krb5.so use_first_pass
>>> auth required pam_deny.so
>>>
>>> /etc/pam.d/common-session
>>>
>>> session required pam_limits.so
>>> session required pam_unix2.so
>>> session optional pam_krb5.so
>>> session optional pam_umask.so
>>> session optional pam_gnome_keyring.so auto_start
>>> only_if=gdm,lxdm
>>>
>>> /etc/pam.d/common-password
>>>
>>> password requisite pam_pwcheck.so nullok cracklib
>>> password optional pam_gnome_keyring.so use_authtok
>>> password [default=ignore success=1] pam_succeed_if.so
>>> uid> 999 quiet
>>> password sufficient pam_unix2.so use_authtok nullok
>>> password sufficient pam_krb5.so
>>> password required pam_deny.so
>>>
>>> /etc/pam.d/common-account
>>>
>>> account requisite pam_unix2.so
>>> account required pam_krb5.so use_first_pass
>>> ignore_unknown_principals
>>> account sufficient pam_localuser.so
>>> account required pam_ldap.so use_first_pass
>>>
>> Are you sure you need the pam_ldap.so here? Its generally used
>> only for authentication, and you are using Kerberos.
>> If you have nss_ldap setup via /etc/nsswitch.conf you should
>> not need pam_ldap.so.
>>
>> Which pam_krb5 are you using? Does it do AFS?
>> If not you will also need pam_afs_sesson.so to get tokens.
>>
>>
> I have tried to remove pam_ldap.so from common_account, but nothing
> solved. Same error. This is my nss_switch.conf:
>
> passwd: compat
> group: files ldap
> shadow: files
>
> hosts: files mdns4_minimal [NOTFOUND=return] dns
> networks: files dns
>
> services: files ldap
> protocols: files
> rpc: files
> ethers: files
> netmasks: files
> netgroup: files ldap
> publickey: files
>
> bootparams: files
> automount: files nis ldap
> aliases: files ldap
> passwd_compat: ldap
>
>
>>> If i do an id [user] on the remote machine, it works (is not a local
>>> user)
>>>
>>> id claudio
>>> uid=1003(claudio) gid=100(users)
>>> groups=100(users),1000(domadm),1001(Domain Admins)
>>>
>>> But, when i try to login with a ldap/kerberos user, into the machine
>>> logs i get this:
>>>
>>> Oct 1 16:48:03 linux-7w13 sshd[4192]: pam_krb5[4192]: authentication
>>> succeeds for 'claudio' (claudio@MEDIASERVICE-TEST.PRI)
>>> Oct 1 16:48:03 linux-7w13 sshd[4099]: error: PAM: Authentication
>>> failure for claudio from 192.168.87.131
>>>
>>> I don't understand...why first succeeds, and then fail?
>>>
>>> What is wrong?
>>>
>>> Any hint is welcome..
>>>
>>> Cheers,
>>>
>>> Claudio.
>>>
>>>
Other info can be useful: i have tried to put in debug the krb5_pam, the
result in messages is this:
Oct 1 17:32:36 linux-7w13 sshd[4242]: pam_krb5[4242]: default/local
realm 'MEDIASERVICE-TEST.PRI'
Oct 1 17:32:36 linux-7w13 sshd[4242]: pam_krb5[4242]: configured realm
'MEDIASERVICE-TEST.PRI'
Oct 1 17:32:36 linux-7w13 sshd[4242]: pam_krb5[4242]: flag: debug
Oct 1 17:32:36 linux-7w13 sshd[4242]: pam_krb5[4242]: flags:
forwardable not proxiable
Oct 1 17:32:36 linux-7w13 sshd[4242]: pam_krb5[4242]: flag: no ignore_afs
Oct 1 17:32:36 linux-7w13 sshd[4242]: pam_krb5[4242]: flag: no null_afs
Oct 1 17:32:36 linux-7w13 sshd[4242]: pam_krb5[4242]: flag: user_check
Oct 1 17:32:36 linux-7w13 sshd[4242]: pam_krb5[4242]: flag: no krb4_convert
Oct 1 17:32:36 linux-7w13 sshd[4242]: pam_krb5[4242]: flag:
krb4_convert_524
Oct 1 17:32:36 linux-7w13 sshd[4242]: pam_krb5[4242]: flag: krb4_use_as_req
Oct 1 17:32:36 linux-7w13 sshd[4242]: pam_krb5[4242]: will try
previously set password first
Oct 1 17:32:36 linux-7w13 sshd[4242]: pam_krb5[4242]: will let libkrb5
ask questions
Oct 1 17:32:36 linux-7w13 sshd[4242]: pam_krb5[4242]: flag: use_shmem
Oct 1 17:32:36 linux-7w13 sshd[4242]: pam_krb5[4242]: flag: external
Oct 1 17:32:36 linux-7w13 sshd[4242]: pam_krb5[4242]: flag: no
multiple_ccaches
Oct 1 17:32:36 linux-7w13 sshd[4242]: pam_krb5[4242]: flag: warn
Oct 1 17:32:36 linux-7w13 sshd[4242]: pam_krb5[4242]: ticket lifetime:
86400s (1d,0h,0m,0s)
Oct 1 17:32:36 linux-7w13 sshd[4242]: pam_krb5[4242]: renewable
lifetime: 86400s (1d,0h,0m,0s)
Oct 1 17:32:36 linux-7w13 sshd[4242]: pam_krb5[4242]: minimum uid: 1
Oct 1 17:32:36 linux-7w13 sshd[4242]: pam_krb5[4242]: banner: Kerberos 5
Oct 1 17:32:36 linux-7w13 sshd[4242]: pam_krb5[4242]: ccache dir: /tmp
Oct 1 17:32:36 linux-7w13 sshd[4242]: pam_krb5[4242]: ccname template:
FILE:%d/krb5cc_%U_XXXXXX
Oct 1 17:32:36 linux-7w13 sshd[4242]: pam_krb5[4242]: keytab:
FILE:/etc/krb5.keytab
Oct 1 17:32:36 linux-7w13 sshd[4242]: pam_krb5[4242]: token strategy:
v4,524,2b,rxk5
Oct 1 17:32:36 linux-7w13 sshd[4242]: pam_krb5[4242]: pam_authenticate
called for 'claudio', realm 'MEDIASERVICE-TEST.PRI'
Oct 1 17:32:36 linux-7w13 sshd[4242]: pam_krb5[4242]: authenticating
'claudio@MEDIASERVICE-TEST.PRI'
Oct 1 17:32:36 linux-7w13 sshd[4242]: pam_krb5[4242]: checking for
externally-obtained v5 credentials
Oct 1 17:32:36 linux-7w13 sshd[4242]: pam_krb5[4242]: KRB5CCNAME is not
set, none found
Oct 1 17:32:36 linux-7w13 sshd[4242]: pam_krb5[4242]: trying
previously-entered password for 'claudio', allowing libkrb5 to prompt
for more
Oct 1 17:32:36 linux-7w13 sshd[4242]: pam_krb5[4242]: authenticating
'claudio@MEDIASERVICE-TEST.PRI' to
'krbtgt/MEDIASERVICE-TEST.PRI@MEDIASERVICE-TEST.PRI'
Oct 1 17:32:36 linux-7w13 sshd[4242]: pam_krb5[4242]:
krb5_get_init_creds_password(krbtgt/MEDIASERVICE-TEST.PRI@MEDIASERVICE-TEST.PRI)
returned 0 (Success)
Oct 1 17:32:36 linux-7w13 sshd[4242]: pam_krb5[4242]: got result 0
(Success)
Oct 1 17:32:36 linux-7w13 sshd[4243]: pam_krb5[4243]: saving v5
credentials to 'MEMORY:_pam_krb5_tmp_s_claudio@MEDIASERVICE-TEST.PRI-0'
for internal use
Oct 1 17:32:36 linux-7w13 sshd[4243]: pam_krb5[4243]: obtaining afs tokens
Oct 1 17:32:36 linux-7w13 sshd[4243]: pam_krb5[4243]: creating new PAG
Oct 1 17:32:36 linux-7w13 sshd[4243]: pam_krb5[4243]: obtaining tokens
for local cell 'mediaservice-test.pri'
Oct 1 17:32:36 linux-7w13 sshd[4243]: pam_krb5[4243]: trying with v5
ticket (2b)
Oct 1 17:32:36 linux-7w13 sshd[4243]: pam_krb5[4243]: attempting to
determine realm for "mediaservice-test.pri"
Oct 1 17:32:36 linux-7w13 sshd[4243]: pam_krb5[4243]: file server for
"/afs/mediaservice-test.pri" is 127.0.0.2
Oct 1 17:32:36 linux-7w13 sshd[4243]: pam_krb5[4243]: error 0(Success)
determining realm for #020
Oct 1 17:32:36 linux-7w13 sshd[4243]: pam_krb5[4243]: attempting to
obtain tokens for "mediaservice-test.pri"
("afs/mediaservice-test.pri@MEDIASERVICE-TEST.PRI")
Oct 1 17:32:36 linux-7w13 sshd[4243]: pam_krb5[4243]: got tokens for
cell "mediaservice-test.pri"
Oct 1 17:32:36 linux-7w13 sshd[4243]: pam_krb5[4243]: no additional afs
cells configured
Oct 1 17:32:36 linux-7w13 sshd[4243]: pam_krb5[4243]: saving v5
credentials to 'MEMORY:_pam_krb5_tmp_s_claudio@MEDIASERVICE-TEST.PRI-1'
for internal use
Oct 1 17:32:36 linux-7w13 sshd[4243]: pam_krb5[4243]: copied
credentials from
"MEMORY:_pam_krb5_tmp_s_claudio@MEDIASERVICE-TEST.PRI-1" to
"FILE:/tmp/krb5cc_1003_bm4243" for the user, destroying
"MEMORY:_pam_krb5_tmp_s_claudio@MEDIASERVICE-TEST.PRI-1"
Oct 1 17:32:36 linux-7w13 sshd[4243]: pam_krb5[4243]: created v5 ccache
'FILE:/tmp/krb5cc_1003_TXSb1v' for 'claudio'
Oct 1 17:32:36 linux-7w13 sshd[4243]: pam_krb5[4243]: krb5_kuserok() says 1
Oct 1 17:32:36 linux-7w13 sshd[4243]: pam_krb5[4243]: removing ccache
'FILE:/tmp/krb5cc_1003_TXSb1v'
Oct 1 17:32:36 linux-7w13 sshd[4243]: pam_krb5[4243]: destroyed ccache
'FILE:/tmp/krb5cc_1003_TXSb1v'
Oct 1 17:32:36 linux-7w13 sshd[4242]: pam_krb5[4242]:
'claudio@MEDIASERVICE-TEST.PRI' passes .k5login check for 'claudio'
Oct 1 17:32:36 linux-7w13 sshd[4242]: pam_krb5[4242]: saved v5
credentials to shared memory segment 196613 (creator pid 4242)
Oct 1 17:32:36 linux-7w13 sshd[4242]: pam_krb5[4242]: set
'_pam_krb5_stash_claudio_MEDIASERVICE-TEST.PRI__1_shm5=196613/4242' in
environment
Oct 1 17:32:36 linux-7w13 sshd[4242]: pam_krb5[4242]: authentication
succeeds for 'claudio' (claudio@MEDIASERVICE-TEST.PRI)
Oct 1 17:32:36 linux-7w13 sshd[4242]: pam_krb5[4242]: pam_authenticate
returning 0 (Success)
Oct 1 17:32:36 linux-7w13 sshd[4234]: error: PAM: Authentication
failure for claudio from 192.168.87.131
All successful, but the last PAM: Authentication failure..... What can be?
Cordially,
Claudio.
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>
>
--
--------------------------------------------------------------------------------
Claudio Prono OPST
System Developer
Gsm: +39-349-54.33.258
@PSS Srl Tel: +39-011-32.72.100
Via San Bernardino, 17 Fax: +39-011-32.46.497
10141 Torino - ITALY http://atpss.net/disclaimer
--------------------------------------------------------------------------------
PGP Key - http://keys.atpss.net/c_prono.asc