[OpenAFS] Help: OpenAFS/NFS mixed environment login problem

Lee Eric openlinuxsource@gmail.com
Tue, 18 Oct 2011 00:04:54 +0800 

Hi,

In my environment, the clients systems need to access OpenAFS/NFS both
so I set up PAM with pam_krb5 and pam_afs_session. Some users home
dirs are using OpenAFS, and others users are using NFS as their home
dirs. NFS is Kerberized properly.

The users who are using OpenAFS can log in the system successfully
every time. But for NFS users they can log in the system sometime or
cannot due to timeout. Here's the log from the Kerberos server which
indicates a NFS user is logging in the system.


Oct 17 11:59:35 server.herdingcat.internal krb5kdc[30165](info):
TGS_REQ (4 etypes {18 17 16 23}) 192.168.122.17: ISSUE: authtime
1318862837, etypes {rep=18 tkt=18 ses=18}, amy@HERDINGCAT.INTERNAL for
nfs/server.herdingcat.internal@HERDINGCAT.INTERNAL
Oct 17 11:59:39 server.herdingcat.internal krb5kdc[30165](info):
AS_REQ (4 etypes {18 17 16 23}) 192.168.122.17: NEEDED_PREAUTH:
amy@HERDINGCAT.INTERNAL for
krbtgt/HERDINGCAT.INTERNAL@HERDINGCAT.INTERNAL, Additional
pre-authentication required
Oct 17 11:59:39 server.herdingcat.internal krb5kdc[30165](info):
AS_REQ (4 etypes {18 17 16 23}) 192.168.122.17: ISSUE: authtime
1318867179, etypes {rep=18 tkt=18 ses=18}, amy@HERDINGCAT.INTERNAL for
krbtgt/HERDINGCAT.INTERNAL@HERDINGCAT.INTERNAL
Oct 17 11:59:39 server.herdingcat.internal krb5kdc[30165](info):
TGS_REQ (1 etypes {1}) 192.168.122.17: ISSUE: authtime 1318867179,
etypes {rep=18 tkt=1 ses=1}, amy@HERDINGCAT.INTERNAL for
afs/herdingcat.internal@HERDINGCAT.INTERNAL
Oct 17 11:59:40 server.herdingcat.internal krb5kdc[30165](info):
TGS_REQ (1 etypes {1}) 192.168.122.17: ISSUE: authtime 1318867179,
etypes {rep=18 tkt=1 ses=1}, amy@HERDINGCAT.INTERNAL for
afs/herdingcat.internal@HERDINGCAT.INTERNAL
Oct 17 11:59:40 server.herdingcat.internal krb5kdc[30165](info):
TGS_REQ (1 etypes {1}) 192.168.122.17: ISSUE: authtime 1318867179,
etypes {rep=18 tkt=1 ses=1}, amy@HERDINGCAT.INTERNAL for
afs/herdingcat.internal@HERDINGCAT.INTERNAL
Oct 17 11:59:41 server.herdingcat.internal krb5kdc[30165](info):
TGS_REQ (1 etypes {1}) 192.168.122.17: ISSUE: authtime 1318867179,
etypes {rep=18 tkt=1 ses=1}, amy@HERDINGCAT.INTERNAL for
afs/herdingcat.internal@HERDINGCAT.INTERNAL
Oct 17 11:59:41 server.herdingcat.internal krb5kdc[30165](info):
TGS_REQ (1 etypes {1}) 192.168.122.17: ISSUE: authtime 1318867179,
etypes {rep=18 tkt=1 ses=1}, amy@HERDINGCAT.INTERNAL for
afs/herdingcat.internal@HERDINGCAT.INTERNAL
Oct 17 11:59:41 server.herdingcat.internal krb5kdc[30165](info):
TGS_REQ (1 etypes {1}) 192.168.122.17: ISSUE: authtime 1318867179,
etypes {rep=18 tkt=1 ses=1}, amy@HERDINGCAT.INTERNAL for
afs/herdingcat.internal@HERDINGCAT.INTERNAL

The user amy is using NFS as her home dir. So sometime she cannot log
in the system due to timeout as I mentioned before.

Here's the PAM configuration file in client.

/etc/pam.d/system-auth

auth        required      pam_env.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 500 quiet
auth        sufficient    pam_krb5.so use_first_pass
auth        optional      pam_afs_session.so
auth        required      pam_deny.so

account     required      pam_unix.so broken_shadow
account     sufficient    pam_succeed_if.so uid < 500 quiet
account     [default=bad success=ok user_unknown=ignore] pam_krb5.so
account     required      pam_permit.so

password    requisite     pam_cracklib.so try_first_pass retry=3 type=
password    sufficient    pam_unix.so sha512 shadow nullok
try_first_pass use_authtok
password    sufficient    pam_krb5.so use_authtok
password    required      pam_deny.so

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
-session     optional      pam_systemd.so
session     [success=1 default=ignore] pam_succeed_if.so service in
crond quiet use_uid
session     required      pam_unix.so
session     optional      pam_krb5.so
session     required      pam_afs_session.so

/etc/pam.d/password-auth

auth        required      pam_env.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 500 quiet
auth        sufficient    pam_krb5.so use_first_pass
auth        optional      pam_afs_session.so
auth        required      pam_deny.so

account     required      pam_unix.so broken_shadow
account     sufficient    pam_succeed_if.so uid < 500 quiet
account     [default=bad success=ok user_unknown=ignore] pam_krb5.so
account     required      pam_permit.so

password    requisite     pam_cracklib.so try_first_pass retry=3 type=
password    sufficient    pam_unix.so sha512 shadow nullok
try_first_pass use_authtok
password    sufficient    pam_krb5.so use_authtok
password    required      pam_deny.so

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
-session     optional      pam_systemd.so
session     [success=1 default=ignore] pam_succeed_if.so service in
crond quiet use_uid
session     required      pam_unix.so
session     optional      pam_krb5.so
session     required      pam_afs_session.so

The OS is Fedora 14. Could anyone show tips to fix this problem to
make OpenAFS/NFS login properly? In most of time the NFS users cannot
log in the system.

Thanks.

Eric