[OpenAFS] aklog: unknown RPC error (-1765328377) while getting AFS tickets

Steven Schoch schoch6@gmail.com
Wed, 25 Apr 2018 15:13:52 -0700 

--001a1145b86a1a2168056ab396df
Content-Type: text/plain; charset="UTF-8"

Never mind. I figured it out!

I got the Kerberos login to work by running:
# authconfig  --enablekrb5 --update
Then I updated /etc/pam.d/system-auth by adding pam_afs_session.so as
described in the manual. At first, that didn't work, but then I discovered
that pam.d/sshd included password-auth instead of system-auth, so I fixed
that.

Now, when I log in, I automatically get an AFS token.
I next fixed the permissions in my home directory by adding my user to the
ACL. Now I can write into my home directory! I think we're there.

-- 
Steve


On Wed, Apr 25, 2018 at 12:03 PM, Steven Schoch <schoch6@gmail.com> wrote:

> Thank you! I overlooked expiration time. I was expecting a ticket to be
> automatically created when I authenticated through SSH, but it didn't.
> I changed the file /etc/pam.d/system-auth as documented, so that the first
> section now looks like this:
>
> auth        required      pam_env.so
> auth        sufficient    pam_afs.so try_first_pass ignore_root
> auth        sufficient    pam_unix.so nullok try_first_pass
> auth        requisite     pam_succeed_if.so uid >= 500 quiet
> auth        required      pam_deny.so
>
> The expectation is when I connect with SSH, it will use kerberos for
> authentication, but it doesn't seem to be getting a ticket. How do I do
> that?
>
> If I get a ticket manually using kinit, then aklog works. However, I still
> don't have permissions to create a file:
>
> $ cd /afs/.example.com/home/xdemo
> $ ls -ld
> drwxr-xr-x. 3 xdemo root 2048 Apr 25 10:57 .
> $ touch file
> touch: cannot touch `file': Permission denied
>
>
> On Wed, Apr 25, 2018 at 11:41 AM, Jeffrey Altman <jaltman@auristor.com>
> wrote:
>
>> -1765328352 (krb5).32 = Ticket expired
>>
>
>

--001a1145b86a1a2168056ab396df
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr"><div><div>Never mind. I figured it out!<br><br>I got the K=
erberos login to work by running:<br># authconfig=C2=A0 --enablekrb5 --upda=
te<br></div><div>Then I updated /etc/pam.d/system-auth by adding pam_afs_se=
ssion.so as described in the manual. At first, that didn&#39;t work, but th=
en I discovered that pam.d/sshd included password-auth instead of system-au=
th, so I fixed that.<br><br></div><div>Now, when I log in, I automatically =
get an AFS token.<br></div><div>I next fixed the permissions in my home dir=
ectory by adding my user to the ACL. Now I can write into my home directory=
! I think we&#39;re there.<br><br>-- <br></div><div>Steve<br></div><div><br=
></div></div></div><div class=3D"gmail_extra"><br><div class=3D"gmail_quote=
">On Wed, Apr 25, 2018 at 12:03 PM, Steven Schoch <span dir=3D"ltr">&lt;<a =
href=3D"mailto:schoch6@gmail.com" target=3D"_blank">schoch6@gmail.com</a>&g=
t;</span> wrote:<br><blockquote class=3D"gmail_quote" style=3D"margin:0 0 0=
 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir=3D"ltr"><div><d=
iv><div><div><div><div>Thank you! I overlooked expiration time. I was expec=
ting a ticket to be automatically created when I authenticated through SSH,=
 but it didn&#39;t.<br></div>I changed the file /etc/pam.d/system-auth as d=
ocumented, so that the first section now looks like this:<br><br>auth=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 required=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
 pam_env.so<br>auth=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 sufficient=C2=
=A0=C2=A0=C2=A0 pam_afs.so try_first_pass ignore_root<br>auth=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 sufficient=C2=A0=C2=A0=C2=A0 pam_unix.so nul=
lok try_first_pass<br>auth=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 requis=
ite=C2=A0=C2=A0=C2=A0=C2=A0 pam_succeed_if.so uid &gt;=3D 500 quiet<br>auth=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 required=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0 pam_deny.so<br><br></div>The expectation is when I connect with SSH,=
 it will use kerberos for authentication, but it doesn&#39;t seem to be get=
ting a ticket. How do I do that?<br><br></div>If I get a ticket manually us=
ing kinit, then aklog works. However, I still don&#39;t have permissions to=
 create a file:<br><br></div>$ cd /afs/.<a href=3D"http://example.com/home/=
xdemo" target=3D"_blank">example.com/home/xdemo</a><br></div>$ ls -ld<br>dr=
wxr-xr-x. 3 xdemo root 2048 Apr 25 10:57 .<br></div>$ touch file<br>touch: =
cannot touch `file&#39;: Permission denied<span class=3D""><br><br><div><di=
v><div><div><div><div><div><div><div class=3D"gmail_extra"><br><div class=
=3D"gmail_quote">On Wed, Apr 25, 2018 at 11:41 AM, Jeffrey Altman <span dir=
=3D"ltr">&lt;<a href=3D"mailto:jaltman@auristor.com" target=3D"_blank">jalt=
man@auristor.com</a>&gt;</span> wrote:<span class=3D"m_-7939751791880456388=
gmail-"></span><br><span class=3D"m_-7939751791880456388gmail-"></span><blo=
ckquote class=3D"gmail_quote" style=3D"margin:0px 0px 0px 0.8ex;border-left=
:1px solid rgb(204,204,204);padding-left:1ex"><span class=3D"m_-79397517918=
80456388gmail-">
</span>-1765328352 (krb5).32 =3D Ticket expired<br>
</blockquote></div><br></div></div></div></div></div></div></div></div></di=
v></span></div>
</blockquote></div><br></div>

--001a1145b86a1a2168056ab396df--