[OpenAFS] pam-afs-session on OS X Lion

Jeffrey Altman jaltman@secure-endpoints.com
Mon, 19 Dec 2011 15:08:42 -0500


This is an OpenPGP/MIME signed message (RFC 2440 and 3156)
--------------enig8FF594302464FC1946A488D7
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

I suspect that two instances of krb5 module need to be executed.  One
with use_kcminit and one without it.  "use_kcminit" is placing the
tickets in a cache that is only accessible from the logon session that
is being created.


On 12/19/2011 2:54 PM, Derrick Brashear wrote:
> yeah, that's going to be the issue; the "answer" will either be that
> afs_session needs to run after the krb5 module does whichever step
> writes out the creds for real, or that it will have to learn how to
> raid the temp kcm cache.
>=20
> On Mon, Dec 19, 2011 at 2:46 PM, Dave Botsch <botsch@cnf.cornell.edu> w=
rote:
>> So, the culprit in part appears to be the use_kcminit option on apple'=
s
>> pam_krb5 ... this option does not appear to be in the pam_krb5 man pag=
e
>> on Lion. Though, browsing source seems to indicate that this option in=

>> part uses some sort of temporary cache someplace to stick the tickets
>> until login is completed.
>>
>> So, if use_kcminit is there...
>>
>> Credentials cache: API:502:41
>>        Principal: dwb7@CIT.CORNELL.EDU
>>
>>  Issued    Expires  Flags    Principal
>> aklog: Couldn't get cnf.cornell.edu AFS tickets:
>> aklog: unknown RPC error (-1765328243) while getting AFS tickets
>>
>>
>> and if I in my login session then do a klist, I *do* see the TGT in th=
at
>> same cache.
>>
>> If I remove the undocumented use_kcminit:
>>
>> Credentials cache: API:502
>>        Principal: dwb7@CIT.CORNELL.EDU
>>
>>  Issued           Expires        Flags    Principal
>> Dec 19 14:36:59  Dec 20 00:36:59  FPI
>> krbtgt/CIT.CORNELL.EDU@CIT.CORNELL.EDU
>>
>>
>>
>> Authenticating to cell cnf.cornell.edu (server hole.cnf.cornell.edu).
>> Trying to authenticate to user's realm CIT.CORNELL.EDU.
>> Getting tickets: afs/cnf.cornell.edu@CIT.CORNELL.EDU
>> We've deduced that we need to authenticate to realm CNF.CORNELL.EDU.
>> Getting tickets: afs/cnf.cornell.edu@CNF.CORNELL.EDU
>> Getting tickets: afs/cnf.cornell.edu@CNF.CORNELL.EDU
>> Getting tickets: afs@CNF.CORNELL.EDU
>> Using Kerberos V5 ticket natively
>> About to resolve name dwb7@CIT.CORNELL.EDU to id in cell
>> cnf.cornell.edu.
>> Id 261937
>> Set username to AFS ID 261937
>> Setting tokens. AFS ID 261937 @ cnf.cornell.edu
>>
>>
>> What is interesting, however, is that in the login session, every othe=
r
>> time, klist then shows me no tickets due to no credentials cache or do=
es
>> show me tickets. So, it would appear that after login, sometimes, the
>> ticket cache goes bye bye. But, the ticket cache was there long enough=

>> to get tokens.
>>
>> Also, pam_afs_session is only being called in the pam 'auth' stack, no=
t
>> in the "session" stack.
>>
>> And, pam_afs_ssion doesn't work in the screensaver pam.d config:
>>
>> Dec 19 14:45:53 tmp29 loginwindow[39876]: pam_afs_session(screensaver)=
:
>> pam_sm_setcred: entry (0x1)
>> Dec 19 14:45:53 tmp29 loginwindow[39876]: pam_afs_session(screensaver)=
:
>> running /usr/bin/aklog.sh as UID 502
>> Dec 19 14:45:53 tmp29 loginwindow[40153]: pam_afs_session(screensaver)=
:
>> cannot setuid to UID 502: Operation not permitted
>> Dec 19 14:45:53 tmp29 loginwindow[39876]: pam_afs_session(screensaver)=
:
>> aklog program /usr/bin/aklog.sh returned 1
>> Dec 19 14:45:53 tmp29 loginwindow[39876]: pam_afs_session(screensaver)=
:
>> pam_sm_setcred: exit (success)
>>
>>
>> On Mon, Dec 19, 2011 at 02:04:27PM -0500, Derrick Brashear wrote:
>>> replace aklog with a shell script that outputs klist and aklog -d to =
a
>>> file in /tmp and see what it's really doing.
>>>
>>> all the below tells us is kerberos failed. knowing if you have
>>> tickets, etc, would be much more interesting.
>>>
>>> On Mon, Dec 19, 2011 at 1:00 PM, Dave Botsch <botsch@cnf.cornell.edu>=
 wrote:
>>>> hi, all.
>>>>
>>>> So, pam-afs-session doesn't seem to work on Lion, properly with:
>>>>
>>>> OpenAFS 1.6.0-1-g54686 built  2011-09-02
>>>>
>>>> So, I can get Kerberos tickets and run aklog to successfully get tok=
ens
>>>> at the command prompt, and all works fine. However, if I try to get
>>>> tokens whilst logging in, I run into the following problem:
>>>>
>>>> Dec 19 10:19:57 tmp29 authorizationhost[35432]:
>>>> pam_afs_session(authorization): pam_sm_setcred: entry (0x1)
>>>> Dec 19 10:19:57 tmp29 authorizationhost[35432]:
>>>> pam_afs_session(authorization): running /usr/bin/aklog as UID 502
>>>> Dec 19 10:19:57 tmp29 authorizationhost[35432]:
>>>> pam_afs_session(authorization): aklog program /usr/bin/aklog returne=
d 4
>>>> Dec 19 10:19:57 tmp29 authorizationhost[35432]:
>>>> pam_afs_session(authorization): pam_sm_setcred: exit (success)
>>>>
>>>> Note that I *do* get Kerberos tickets upon logging in from the built=
 in
>>>> pam_krb5.
>>>>
>>>> Here's my PAM config in /etc/pam.d/authorization :
>>>>
>>>> # authorization: auth account
>>>> auth       optional       pam_krb5.so use_first_pass use_kcminit
>>>> default_principal
>>>> auth       optional       pam_ntlm.so use_first_pass
>>>> auth    optional        pam_afs_session.so nopag always_aklog debug
>>>> auth       required       pam_opendirectory.so use_first_pass nullok=

>>>> account    required       pam_opendirectory.so
>>>> session optional        pam_afs_session.so nopag always_aklog debug
>>>>
>>>> Thanks.
>>>>
>>>>
>>>>
>>>> --
>>>> ********************************
>>>> David William Botsch
>>>> Programmer/Analyst
>>>> CNF Computing
>>>> botsch@cnf.cornell.edu
>>>> ********************************
>>>> _______________________________________________
>>>> OpenAFS-info mailing list
>>>> OpenAFS-info@openafs.org
>>>> https://lists.openafs.org/mailman/listinfo/openafs-info
>>>
>>>
>>>
>>> --
>>> Derrick
>>>
>>
>> --
>> ********************************
>> David William Botsch
>> Programmer/Analyst
>> CNF Computing
>> botsch@cnf.cornell.edu
>> ********************************
>> _______________________________________________
>> OpenAFS-info mailing list
>> OpenAFS-info@openafs.org
>> https://lists.openafs.org/mailman/listinfo/openafs-info
>=20
>=20
>=20


--------------enig8FF594302464FC1946A488D7
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)

iQEcBAEBAgAGBQJO75nPAAoJENxm1CNJffh44HoIAJpUrmm+U2u/L1YdHG9uGrO4
k+TxmkMcISCOhENGYZbXSCm5eTAeiqTP1+e59Vbf+OHALLUpgT85vsLQwQ0PDGQ/
F5Q/d+6AeGsVz6B43Eo5OXIz77o6h13tcmzmaHDgcxvlNKD70AJ2GsE4y5XsfE8s
+fn77c/q4UO8riWD4O8x5VLORiyXCeqViWgaeU0qIFco3yC6NZVavWHRXNz4AXZY
ey5aOO35yN+7vhT76851AzXlIFY6HB3wcMboSJSNBaYoj1Qx4qXTUo3NnR5nlOuU
OmVP9y0jRjW1LiWTputP5V1UnGo8KoqmHoZ+rPQMNKsgN/2pIey6wvKtu4fG+lw=
=mYoS
-----END PGP SIGNATURE-----

--------------enig8FF594302464FC1946A488D7--