[OpenAFS] pam-afs-session on OS X Lion

Derrick Brashear shadow@gmail.com
Mon, 19 Dec 2011 14:54:53 -0500 

yeah, that's going to be the issue; the "answer" will either be that
afs_session needs to run after the krb5 module does whichever step
writes out the creds for real, or that it will have to learn how to
raid the temp kcm cache.

On Mon, Dec 19, 2011 at 2:46 PM, Dave Botsch <botsch@cnf.cornell.edu> wrote=
:
> So, the culprit in part appears to be the use_kcminit option on apple's
> pam_krb5 ... this option does not appear to be in the pam_krb5 man page
> on Lion. Though, browsing source seems to indicate that this option in
> part uses some sort of temporary cache someplace to stick the tickets
> until login is completed.
>
> So, if use_kcminit is there...
>
> Credentials cache: API:502:41
> =A0 =A0 =A0 =A0Principal: dwb7@CIT.CORNELL.EDU
>
> =A0Issued =A0 =A0Expires =A0Flags =A0 =A0Principal
> aklog: Couldn't get cnf.cornell.edu AFS tickets:
> aklog: unknown RPC error (-1765328243) while getting AFS tickets
>
>
> and if I in my login session then do a klist, I *do* see the TGT in that
> same cache.
>
> If I remove the undocumented use_kcminit:
>
> Credentials cache: API:502
> =A0 =A0 =A0 =A0Principal: dwb7@CIT.CORNELL.EDU
>
> =A0Issued =A0 =A0 =A0 =A0 =A0 Expires =A0 =A0 =A0 =A0Flags =A0 =A0Princip=
al
> Dec 19 14:36:59 =A0Dec 20 00:36:59 =A0FPI
> krbtgt/CIT.CORNELL.EDU@CIT.CORNELL.EDU
>
>
>
> Authenticating to cell cnf.cornell.edu (server hole.cnf.cornell.edu).
> Trying to authenticate to user's realm CIT.CORNELL.EDU.
> Getting tickets: afs/cnf.cornell.edu@CIT.CORNELL.EDU
> We've deduced that we need to authenticate to realm CNF.CORNELL.EDU.
> Getting tickets: afs/cnf.cornell.edu@CNF.CORNELL.EDU
> Getting tickets: afs/cnf.cornell.edu@CNF.CORNELL.EDU
> Getting tickets: afs@CNF.CORNELL.EDU
> Using Kerberos V5 ticket natively
> About to resolve name dwb7@CIT.CORNELL.EDU to id in cell
> cnf.cornell.edu.
> Id 261937
> Set username to AFS ID 261937
> Setting tokens. AFS ID 261937 @ cnf.cornell.edu
>
>
> What is interesting, however, is that in the login session, every other
> time, klist then shows me no tickets due to no credentials cache or does
> show me tickets. So, it would appear that after login, sometimes, the
> ticket cache goes bye bye. But, the ticket cache was there long enough
> to get tokens.
>
> Also, pam_afs_session is only being called in the pam 'auth' stack, not
> in the "session" stack.
>
> And, pam_afs_ssion doesn't work in the screensaver pam.d config:
>
> Dec 19 14:45:53 tmp29 loginwindow[39876]: pam_afs_session(screensaver):
> pam_sm_setcred: entry (0x1)
> Dec 19 14:45:53 tmp29 loginwindow[39876]: pam_afs_session(screensaver):
> running /usr/bin/aklog.sh as UID 502
> Dec 19 14:45:53 tmp29 loginwindow[40153]: pam_afs_session(screensaver):
> cannot setuid to UID 502: Operation not permitted
> Dec 19 14:45:53 tmp29 loginwindow[39876]: pam_afs_session(screensaver):
> aklog program /usr/bin/aklog.sh returned 1
> Dec 19 14:45:53 tmp29 loginwindow[39876]: pam_afs_session(screensaver):
> pam_sm_setcred: exit (success)
>
>
> On Mon, Dec 19, 2011 at 02:04:27PM -0500, Derrick Brashear wrote:
>> replace aklog with a shell script that outputs klist and aklog -d to a
>> file in /tmp and see what it's really doing.
>>
>> all the below tells us is kerberos failed. knowing if you have
>> tickets, etc, would be much more interesting.
>>
>> On Mon, Dec 19, 2011 at 1:00 PM, Dave Botsch <botsch@cnf.cornell.edu> wr=
ote:
>> > hi, all.
>> >
>> > So, pam-afs-session doesn't seem to work on Lion, properly with:
>> >
>> > OpenAFS 1.6.0-1-g54686 built =A02011-09-02
>> >
>> > So, I can get Kerberos tickets and run aklog to successfully get token=
s
>> > at the command prompt, and all works fine. However, if I try to get
>> > tokens whilst logging in, I run into the following problem:
>> >
>> > Dec 19 10:19:57 tmp29 authorizationhost[35432]:
>> > pam_afs_session(authorization): pam_sm_setcred: entry (0x1)
>> > Dec 19 10:19:57 tmp29 authorizationhost[35432]:
>> > pam_afs_session(authorization): running /usr/bin/aklog as UID 502
>> > Dec 19 10:19:57 tmp29 authorizationhost[35432]:
>> > pam_afs_session(authorization): aklog program /usr/bin/aklog returned =
4
>> > Dec 19 10:19:57 tmp29 authorizationhost[35432]:
>> > pam_afs_session(authorization): pam_sm_setcred: exit (success)
>> >
>> > Note that I *do* get Kerberos tickets upon logging in from the built i=
n
>> > pam_krb5.
>> >
>> > Here's my PAM config in /etc/pam.d/authorization :
>> >
>> > # authorization: auth account
>> > auth =A0 =A0 =A0 optional =A0 =A0 =A0 pam_krb5.so use_first_pass use_k=
cminit
>> > default_principal
>> > auth =A0 =A0 =A0 optional =A0 =A0 =A0 pam_ntlm.so use_first_pass
>> > auth =A0 =A0optional =A0 =A0 =A0 =A0pam_afs_session.so nopag always_ak=
log debug
>> > auth =A0 =A0 =A0 required =A0 =A0 =A0 pam_opendirectory.so use_first_p=
ass nullok
>> > account =A0 =A0required =A0 =A0 =A0 pam_opendirectory.so
>> > session optional =A0 =A0 =A0 =A0pam_afs_session.so nopag always_aklog =
debug
>> >
>> > Thanks.
>> >
>> >
>> >
>> > --
>> > ********************************
>> > David William Botsch
>> > Programmer/Analyst
>> > CNF Computing
>> > botsch@cnf.cornell.edu
>> > ********************************
>> > _______________________________________________
>> > OpenAFS-info mailing list
>> > OpenAFS-info@openafs.org
>> > https://lists.openafs.org/mailman/listinfo/openafs-info
>>
>>
>>
>> --
>> Derrick
>>
>
> --
> ********************************
> David William Botsch
> Programmer/Analyst
> CNF Computing
> botsch@cnf.cornell.edu
> ********************************
> _______________________________________________
> OpenAFS-info mailing list
> OpenAFS-info@openafs.org
> https://lists.openafs.org/mailman/listinfo/openafs-info



--=20
Derrick