[OpenAFS] pam-afs-session on OS X Lion

Dave Botsch botsch@cnf.cornell.edu
Mon, 19 Dec 2011 14:46:55 -0500


So, the culprit in part appears to be the use_kcminit option on apple's
pam_krb5 ... this option does not appear to be in the pam_krb5 man page
on Lion. Though, browsing source seems to indicate that this option in
part uses some sort of temporary cache someplace to stick the tickets
until login is completed.

So, if use_kcminit is there...

Credentials cache: API:502:41
        Principal: dwb7@CIT.CORNELL.EDU

  Issued    Expires  Flags    Principal
aklog: Couldn't get cnf.cornell.edu AFS tickets:
aklog: unknown RPC error (-1765328243) while getting AFS tickets


and if I in my login session then do a klist, I *do* see the TGT in that
same cache.=20

If I remove the undocumented use_kcminit:

Credentials cache: API:502
        Principal: dwb7@CIT.CORNELL.EDU

  Issued           Expires        Flags    Principal
Dec 19 14:36:59  Dec 20 00:36:59  FPI
krbtgt/CIT.CORNELL.EDU@CIT.CORNELL.EDU



Authenticating to cell cnf.cornell.edu (server hole.cnf.cornell.edu).
Trying to authenticate to user's realm CIT.CORNELL.EDU.
Getting tickets: afs/cnf.cornell.edu@CIT.CORNELL.EDU
We've deduced that we need to authenticate to realm CNF.CORNELL.EDU.
Getting tickets: afs/cnf.cornell.edu@CNF.CORNELL.EDU
Getting tickets: afs/cnf.cornell.edu@CNF.CORNELL.EDU
Getting tickets: afs@CNF.CORNELL.EDU
Using Kerberos V5 ticket natively
About to resolve name dwb7@CIT.CORNELL.EDU to id in cell
cnf.cornell.edu.
Id 261937
Set username to AFS ID 261937
Setting tokens. AFS ID 261937 @ cnf.cornell.edu=20


What is interesting, however, is that in the login session, every other
time, klist then shows me no tickets due to no credentials cache or does
show me tickets. So, it would appear that after login, sometimes, the
ticket cache goes bye bye. But, the ticket cache was there long enough
to get tokens.

Also, pam_afs_session is only being called in the pam 'auth' stack, not
in the "session" stack.

And, pam_afs_ssion doesn't work in the screensaver pam.d config:

Dec 19 14:45:53 tmp29 loginwindow[39876]: pam_afs_session(screensaver):
pam_sm_setcred: entry (0x1)
Dec 19 14:45:53 tmp29 loginwindow[39876]: pam_afs_session(screensaver):
running /usr/bin/aklog.sh as UID 502
Dec 19 14:45:53 tmp29 loginwindow[40153]: pam_afs_session(screensaver):
cannot setuid to UID 502: Operation not permitted
Dec 19 14:45:53 tmp29 loginwindow[39876]: pam_afs_session(screensaver):
aklog program /usr/bin/aklog.sh returned 1
Dec 19 14:45:53 tmp29 loginwindow[39876]: pam_afs_session(screensaver):
pam_sm_setcred: exit (success)


On Mon, Dec 19, 2011 at 02:04:27PM -0500, Derrick Brashear wrote:
> replace aklog with a shell script that outputs klist and aklog -d to a
> file in /tmp and see what it's really doing.
>=20
> all the below tells us is kerberos failed. knowing if you have
> tickets, etc, would be much more interesting.
>=20
> On Mon, Dec 19, 2011 at 1:00 PM, Dave Botsch <botsch@cnf.cornell.edu> w=
rote:
> > hi, all.
> >
> > So, pam-afs-session doesn't seem to work on Lion, properly with:
> >
> > OpenAFS 1.6.0-1-g54686 built =A02011-09-02
> >
> > So, I can get Kerberos tickets and run aklog to successfully get toke=
ns
> > at the command prompt, and all works fine. However, if I try to get
> > tokens whilst logging in, I run into the following problem:
> >
> > Dec 19 10:19:57 tmp29 authorizationhost[35432]:
> > pam_afs_session(authorization): pam_sm_setcred: entry (0x1)
> > Dec 19 10:19:57 tmp29 authorizationhost[35432]:
> > pam_afs_session(authorization): running /usr/bin/aklog as UID 502
> > Dec 19 10:19:57 tmp29 authorizationhost[35432]:
> > pam_afs_session(authorization): aklog program /usr/bin/aklog returned=
 4
> > Dec 19 10:19:57 tmp29 authorizationhost[35432]:
> > pam_afs_session(authorization): pam_sm_setcred: exit (success)
> >
> > Note that I *do* get Kerberos tickets upon logging in from the built =
in
> > pam_krb5.
> >
> > Here's my PAM config in /etc/pam.d/authorization :
> >
> > # authorization: auth account
> > auth =A0 =A0 =A0 optional =A0 =A0 =A0 pam_krb5.so use_first_pass use_=
kcminit
> > default_principal
> > auth =A0 =A0 =A0 optional =A0 =A0 =A0 pam_ntlm.so use_first_pass
> > auth =A0 =A0optional =A0 =A0 =A0 =A0pam_afs_session.so nopag always_a=
klog debug
> > auth =A0 =A0 =A0 required =A0 =A0 =A0 pam_opendirectory.so use_first_=
pass nullok
> > account =A0 =A0required =A0 =A0 =A0 pam_opendirectory.so
> > session optional =A0 =A0 =A0 =A0pam_afs_session.so nopag always_aklog=
 debug
> >
> > Thanks.
> >
> >
> >
> > --
> > ********************************
> > David William Botsch
> > Programmer/Analyst
> > CNF Computing
> > botsch@cnf.cornell.edu
> > ********************************
> > _______________________________________________
> > OpenAFS-info mailing list
> > OpenAFS-info@openafs.org
> > https://lists.openafs.org/mailman/listinfo/openafs-info
>=20
>=20
>=20
> --=20
> Derrick
>=20

--=20
********************************
David William Botsch
Programmer/Analyst
CNF Computing
botsch@cnf.cornell.edu
********************************