[OpenAFS] Ticket cache file permission incorrect of Openafs Client in Scientific Linux 6
huangql
huangql@ihep.ac.cn
Mon, 29 Jul 2019 12:47:35 +0800
This is a multi-part message in MIME format.
------=_001_NextPart458552873206_=----
Content-Type: text/plain;
charset="us-ascii"
Content-Transfer-Encoding: base64
RGVhciBhbGwsDQoNCkknbSBzdHVjayB3aXRoIHRoZSB0aWNrZXQgY2FjaGUgZmlsZSBwZXJtaXNz
aW9uIGluY29ycmVjdCAgYWZ0ZXIgdXNlcnMgbG9naW4gZmFybSB3aXRoIFBhbSBtb2R1bGUuICBJ
biB0aGlzIGNhc2UsIHVzZXJzIGZhaWxlZCB0byBydW4gImtwYXNzd2QiLCAia2xpc3QiIGNvbW1h
bmQgd2l0aCB0aGUgZm9sbG93aW5nIGVycm9yLg0KDQprcGFzc3dkOiBDcmVkZW50aWFscyBjYWNo
ZSBwZXJtaXNzaW9ucyBpbmNvcnJlY3QgZ2V0dGluZyBwcmluY2lwYWwgZnJvbSBjY2FjaGUNCg0K
a2xpc3Q6IENyZWRlbnRpYWxzIGNhY2hlIHBlcm1pc3Npb25zIGluY29ycmVjdCB3aGlsZSBzZXR0
aW5nIGNhY2hlIGZsYWdzICh0aWNrZXQgY2FjaGUgRklMRTovdG1wL2tyYjVjY182MDAzN18xQmRU
MG0pDQoNCg0KSSBmb3VuZCB0aGUgZXJyb3IgY2F1c2VkIGJ5IHRoZSBpbmNvcnJlY3QgcGVybWlz
c2lvbiBvZiB0aWNrZXQgZmlsZShhbGwgdGhlIHBlcnNvbmFsIHRpY2tldCBmaWxlIHdpdGggdGhl
IHJvb3QgdWlkIGJ1dCByaWdodCBnaWQgKS4NCg0KRm9yIGV4YW1wbGU6DQoNCi1ydy0tLS0tLS0g
MSByb290IHUwNyA0NjkgSnVsIDI5IDEwOjAwIC90bXAva3JiNWNjXzYwMDM3XzFCZFQwbQ0KDQpB
bmQgdGhpcyBpc3N1ZSBoYXBwZW5zIGluIFNjaWVudGlmaWMgTGludXggNiBub3QgaW4gU2NpZW50
aWZpYyBMaW51eCA3Lg0KDQpJIGF0dGFjaGVkIHRoZSBwYW0uZCBjb25maWd1cmF0aW9uOg0KDQoN
Cltyb290QGx4c2xjNjEzIH5dIyB2aSAvZXRjL3BhbS5kL3N5c3RlbS1hdXRoLWFjDQojJVBBTS0x
LjANCiMgVGhpcyBmaWxlIGlzIGF1dG8tZ2VuZXJhdGVkLg0KIyBVc2VyIGNoYW5nZXMgd2lsbCBi
ZSBkZXN0cm95ZWQgdGhlIG5leHQgdGltZSBhdXRoY29uZmlnIGlzIHJ1bi4NCmF1dGggICAgICAg
IHN1ZmZpY2llbnQgICAgcGFtX2tyYjUuc28gdHJ5X2ZpcnN0X3Bhc3MNCmF1dGggICAgICAgIG9w
dGlvbmFsICAgICAgcGFtX2Fmc19zZXNzaW9uLnNvIHByb2dyYW09L3Vzci9iaW4vYWtsb2cNCmF1
dGggICAgICAgIHJlcXVpcmVkICAgICAgcGFtX2Vudi5zbw0KYXV0aCAgICAgICAgc3VmZmljaWVu
dCAgICBwYW1fZnByaW50ZC5zbw0KYXV0aCAgICAgICAgcmVxdWlzaXRlICAgICBwYW1fc3VjY2Vl
ZF9pZi5zbyB1aWQgPj0gNTAwIHF1aWV0DQphdXRoICAgICAgICByZXF1aXJlZCAgICAgIHBhbV9k
ZW55LnNvDQoNCmFjY291bnQgICAgIHN1ZmZpY2llbnQgICAgcGFtX2tyYjUuc28NCmFjY291bnQg
ICAgIHJlcXVpcmVkICAgICAgcGFtX3VuaXguc28NCmFjY291bnQgICAgIHN1ZmZpY2llbnQgICAg
cGFtX2xvY2FsdXNlci5zbw0KYWNjb3VudCAgICAgc3VmZmljaWVudCAgICBwYW1fc3VjY2VlZF9p
Zi5zbyB1aWQgPCA1MDAgcXVpZXQNCmFjY291bnQgICAgIHJlcXVpcmVkICAgICAgcGFtX3Blcm1p
dC5zbw0KDQpwYXNzd29yZCAgICBzdWZmaWNpZW50ICAgIHBhbV9rcmI1LnNvICAgICAgICAgIHVz
ZV9maXJzdF9wYXNzDQpwYXNzd29yZCAgICByZXF1aXNpdGUgICAgIHBhbV9jcmFja2xpYi5zbyB0
cnlfZmlyc3RfcGFzcyByZXRyeT0zIHR5cGU9DQpwYXNzd29yZCAgICBzdWZmaWNpZW50ICAgIHBh
bV91bml4LnNvIHNoYTUxMiBzaGFkb3cgbnVsbG9rIHRyeV9maXJzdF9wYXNzIHVzZV9hdXRodG9r
DQpwYXNzd29yZCAgICByZXF1aXJlZCAgICAgIHBhbV9kZW55LnNvDQoNCnNlc3Npb24gICAgIHJl
cXVpcmVkICAgICAgcGFtX3VuaXguc28NCnNlc3Npb24gICAgIG9wdGlvbmFsICAgICAgcGFtX2ty
YjUuc28NCnNlc3Npb24gICAgIG9wdGlvbmFsICAgICAgcGFtX2Fmc19zZXNzaW9uLnNvICAgcHJv
Z3JhbT0vdXNyL2Jpbi9ha2xvZw0Kc2Vzc2lvbiAgICAgb3B0aW9uYWwgICAgICBwYW1fa2V5aW5p
dC5zbyByZXZva2UNCnNlc3Npb24gICAgIHJlcXVpcmVkICAgICAgcGFtX2xpbWl0cy5zbw0Kc2Vz
c2lvbiAgICAgW3N1Y2Nlc3M9MSBkZWZhdWx0PWlnbm9yZV0gcGFtX3N1Y2NlZWRfaWYuc28gc2Vy
dmljZSBpbiBjcm9uZCBxdWlldCB1c2VfdWlkDQp+DQoNCg0KW3Jvb3RAbHhzbGM2MTMgfl0jIHZp
IC9ldGMvcGFtLmQvcGFzc3dvcmQtYXV0aC1hYw0KIyVQQU0tMS4wDQojIFRoaXMgZmlsZSBpcyBh
dXRvLWdlbmVyYXRlZC4NCiMgVXNlciBjaGFuZ2VzIHdpbGwgYmUgZGVzdHJveWVkIHRoZSBuZXh0
IHRpbWUgYXV0aGNvbmZpZyBpcyBydW4uDQphdXRoICAgICAgICBzdWZmaWNpZW50ICAgIHBhbV9r
cmI1LnNvIHRyeV9maXJzdF9wYXNzDQphdXRoICAgICAgICBvcHRpb25hbCAgICAgIHBhbV9hZnNf
c2Vzc2lvbi5zbyBwcm9ncmFtPS91c3IvYmluL2FrbG9nDQoNCmF1dGggICAgICAgIHJlcXVpcmVk
ICAgICAgcGFtX2Vudi5zbw0KYXV0aCAgICAgICAgc3VmZmljaWVudCAgICBwYW1fdW5peC5zbyBu
dWxsb2sgdHJ5X2ZpcnN0X3Bhc3MNCmF1dGggICAgICAgIHJlcXVpc2l0ZSAgICAgcGFtX3N1Y2Nl
ZWRfaWYuc28gdWlkID49IDUwMCBxdWlldA0KYXV0aCAgICAgICAgcmVxdWlyZWQgICAgICBwYW1f
ZGVueS5zbw0KDQphY2NvdW50ICAgICBzdWZmaWNpZW50ICAgIHBhbV9rcmI1LnNvDQphY2NvdW50
ICAgICByZXF1aXJlZCAgICAgIHBhbV91bml4LnNvDQphY2NvdW50ICAgICBzdWZmaWNpZW50ICAg
IHBhbV9sb2NhbHVzZXIuc28NCmFjY291bnQgICAgIHN1ZmZpY2llbnQgICAgcGFtX3N1Y2NlZWRf
aWYuc28gdWlkIDwgNTAwIHF1aWV0DQphY2NvdW50ICAgICByZXF1aXJlZCAgICAgIHBhbV9wZXJt
aXQuc28NCg0KcGFzc3dvcmQgICAgcmVxdWlzaXRlICAgICBwYW1fY3JhY2tsaWIuc28gdHJ5X2Zp
cnN0X3Bhc3MgcmV0cnk9MyB0eXBlPQ0KcGFzc3dvcmQgICAgc3VmZmljaWVudCAgICBwYW1fdW5p
eC5zbyBzaGE1MTIgc2hhZG93IG51bGxvayB0cnlfZmlyc3RfcGFzcyB1c2VfYXV0aHRvaw0KcGFz
c3dvcmQgICAgcmVxdWlyZWQgICAgICBwYW1fZGVueS5zbw0KDQpzZXNzaW9uICAgICBvcHRpb25h
bCAgICAgIHBhbV9rcmI1LnNvDQpzZXNzaW9uICAgICBvcHRpb25hbCAgICAgIHBhbV9hZnNfc2Vz
c2lvbi5zbyAgIHByb2dyYW09L3Vzci9iaW4vYWtsb2cNCnNlc3Npb24gICAgIG9wdGlvbmFsICAg
ICAgcGFtX2tleWluaXQuc28gcmV2b2tlDQpzZXNzaW9uICAgICByZXF1aXJlZCAgICAgIHBhbV9s
aW1pdHMuc28NCnNlc3Npb24gICAgIFtzdWNjZXNzPTEgZGVmYXVsdD1pZ25vcmVdIHBhbV9zdWNj
ZWVkX2lmLnNvIHNlcnZpY2UgaW4gY3JvbmQgcXVpZXQgdXNlX3VpZA0Kc2Vzc2lvbiAgICAgcmVx
dWlyZWQgICAgICBwYW1fdW5peC5zbw0KDQoNCkRvZXMgYW55b25lIGtub3cgYWJvdXQgdGhpcyBp
c3N1ZSBhbmQgZ2l2ZSBtZSBzb21lIGNsdWVzPyBBbnkgc3VnZ2VzdGlvbnMgd291bGQgYmUgZ3Jl
YXRseSBhcHByZWNpYXRlZC4gTWFueSB0aGFua3MuDQoNClJlZ2FyZHMsDQpRaXVsYW4NCg0KDQpo
dWFuZ3FsDQo9PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09
PT09PT09PT09PT09PT09PT09PQ0KQ29tcHV0aW5nIGNlbnRlcix0aGUgSW5zdGl0dXRlIG9mIEhp
Z2ggRW5lcmd5IFBoeXNpY3MsIENBUywgQ2hpbmENClFpdWxhbiBIdWFuZyAgICAgICAgICAgICAg
ICAgICAgICAgVGVsOiAoKzg2KSAxMCA4ODIzIDYwODcNClAuTy4gQm94IDkxOC03ICAgICAgICAg
ICAgICAgICAgICAgICBGYXg6ICgrODYpIDEwIDg4MjMgNjgzOQ0KQmVpamluZyAxMDAwNDkgIFAu
Ui4gQ2hpbmEgICAgICAgICAgIEVtYWlsOiBodWFuZ3FsQGloZXAuYWMuY24NCj09PT09PT09PT09
PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT0N
Cg==
------=_001_NextPart458552873206_=----
Content-Type: text/html;
charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
<html><head><meta http-equiv=3D"content-type" content=3D"text/html; charse=
t=3Dus-ascii"><style>body { line-height: 1.5; }body { font-size: 10.5pt; f=
ont-family: ????; color: rgb(0, 0, 0); line-height: 1.5; }</style></head><=
body>=0A<div><span></span>Dear all,</div><div><br></div><div>I'm stuck wit=
h the ticket cache file permission incorrect after users login farm =
with Pam module. In this case, users failed to run "kpasswd", "klist=
" command with the following error.</div><div><br></div><div><span style=
=3D"color: rgb(0, 0, 0); background-color: rgba(0, 0, 0, 0);"><b>kpasswd:&=
nbsp;Credentials cache permissions incorrect getting&n=
bsp;principal from ccache</b></span></div><div><span style=3D"co=
lor: rgb(0, 0, 0); background-color: rgba(0, 0, 0, 0);"><b><br></b></span>=
</div><div><span style=3D"color: rgb(0, 0, 0); background-color: rgba(0, 0=
, 0, 0);"><b>klist: Credentials cache permissions inco=
rrect while setting cache flags (ticket cach=
e FILE:/tmp/krb5cc_60037_1BdT0m)</b></span></div><div><span style=3D"=
color: rgb(0, 0, 0); background-color: rgba(0, 0, 0, 0);"><br></span></div=
><div><span style=3D"color: rgb(0, 0, 0); background-color: rgba(0, 0, 0, =
0);"><br></span></div><div><span style=3D"color: rgb(0, 0, 0); background-=
color: rgba(0, 0, 0, 0);">I found the error caused by the incorrect permis=
sion of ticket file(all the personal ticket file with the root uid but rig=
ht gid ).</span></div><div><span style=3D"color: rgb(0, 0, 0); background-=
color: rgba(0, 0, 0, 0);"><br></span></div><div><span style=3D"color: rgb(=
0, 0, 0); background-color: rgba(0, 0, 0, 0);">For example:</span></div><d=
iv><br></div><div><span style=3D"color: rgb(0, 0, 0); background-color: rg=
ba(0, 0, 0, 0);">-rw------- 1<b> root</b> u07 469 =
;Jul 29 10:00 /tmp/krb5cc_60037_1BdT0m</span></div><div><sp=
an style=3D"color: rgb(0, 0, 0); background-color: rgba(0, 0, 0, 0);"><br>=
</span></div><div><span style=3D"color: rgb(0, 0, 0); background-color: rg=
ba(0, 0, 0, 0);">And this issue happens in Scientific Linux 6 not in Scien=
tific Linux 7.</span></div><div><br></div><div>I attached the pam.d config=
uration:</div><div><br></div><div><br></div><div><span style=3D"color: rgb=
(0, 0, 0); background-color: rgba(0, 0, 0, 0);"><b>[root@lxslc613 ~]#=
vi /etc/pam.d/system-auth-ac<br>#%PAM-1.0<br># This f=
ile is auto-generated.<br># User changes will&nbs=
p;be destroyed the next time authconfig is&n=
bsp;run.<br>auth sufficient=
pam_krb5.so try_first_pass<br>auth  =
; optional  =
; pam_afs_session.so program=3D/usr/bin/aklog<br>auth  =
; required  =
; pam_env.so<br>auth s=
ufficient pam_fprintd.so<br>auth &=
nbsp; requisite pam_su=
cceed_if.so uid >=3D 500 quiet<br>auth &=
nbsp; required &=
nbsp;pam_deny.so<br><br>account sufficient&nb=
sp; pam_krb5.so<br>account r=
equired pam_unix.so<br>account &nb=
sp; sufficient pam_localuser.so<br=
>account sufficient pa=
m_succeed_if.so uid < 500 quiet<br>account &nb=
sp; required pam_permi=
t.so<br><br>password sufficient &n=
bsp;pam_krb5.so  =
;use_first_pass<br>password requisite &n=
bsp; pam_cracklib.so try_first_pass retry=3D3 ty=
pe=3D<br>password sufficient  =
;pam_unix.so sha512 shadow nullok try_first_pass =
use_authtok<br>password required &=
nbsp; pam_deny.so<br><br>session r=
equired pam_unix.so<br>session &nb=
sp; optional pam_krb5.=
so<br>session optional  =
; pam_afs_session.so program=3D/usr/bin/aklog<=
br>session optional &n=
bsp; pam_keyinit.so revoke<br>session &nb=
sp;required pam_limits.so<br>session&nb=
sp; [success=3D1 default=3Dignore] pam_su=
cceed_if.so service in crond quiet use_uid<br>~<b=
r></b></span></div><div><span style=3D"color: rgb(0, 0, 0); background-col=
or: rgba(0, 0, 0, 0);"><b><br></b></span></div>=0A<div><b><br></b></div><d=
iv><span style=3D"color: rgb(0, 0, 0); background-color: rgba(0, 0, 0, 0);=
"><b>[root@lxslc613 ~]# vi /etc/pam.d/password-auth-ac<br>#=
%PAM-1.0<br># This file is auto-generated.<br># U=
ser changes will be destroyed the next =
time authconfig is run.<br>auth &nbs=
p; sufficient pam_krb5.so try=
_first_pass<br>auth optiona=
l pam_afs_session.so program=3D/us=
r/bin/aklog<br><br>auth req=
uired pam_env.so<br>auth &nb=
sp; sufficient pam_uni=
x.so nullok try_first_pass<br>auth =
requisite pam_succeed_if.so=
uid >=3D 500 quiet<br>auth =
required pam_de=
ny.so<br><br>account sufficient &n=
bsp; pam_krb5.so<br>account required&nbs=
p; pam_unix.so<br>account &n=
bsp; sufficient pam_localuser.so<br>account&nb=
sp; sufficient pam_succeed_i=
f.so uid < 500 quiet<br>account &n=
bsp; required pam_permit.so<br><br=
>password requisite pa=
m_cracklib.so try_first_pass retry=3D3 type=3D<br>password&=
nbsp; sufficient pam_unix.so =
sha512 shadow nullok try_first_pass use_authtok<br>pas=
sword required p=
am_deny.so<br><br>session optional  =
; pam_krb5.so<br>session &nb=
sp;optional pam_afs_session.so &nb=
sp; program=3D/usr/bin/aklog<br>session =
optional pam_keyinit.so revoke<br>=
session required  =
; pam_limits.so<br>session [success=3D1&=
nbsp;default=3Dignore] pam_succeed_if.so service in cr=
ond quiet use_uid<br>session requir=
ed pam_unix.so</b><br></span></div><div=
><span style=3D"color: rgb(0, 0, 0); background-color: rgba(0, 0, 0, 0);">=
<br></span></div><div><span style=3D"color: rgb(0, 0, 0); background-color=
: rgba(0, 0, 0, 0);"><br></span></div><div><span style=3D"color: rgb(0, 0,=
0); background-color: rgba(0, 0, 0, 0);">Does anyone know about this issu=
e and give me some clues? Any suggestions would be greatly appreciated. Ma=
ny thanks.</span></div><div><span style=3D"color: rgb(0, 0, 0); background=
-color: rgba(0, 0, 0, 0);"><br></span></div><div><span style=3D"color: rgb=
(0, 0, 0); background-color: rgba(0, 0, 0, 0);">Regards,</span></div><div>=
<span style=3D"color: rgb(0, 0, 0); background-color: rgba(0, 0, 0, 0);">Q=
iulan</span></div>=0A<hr style=3D"width: 210px; height: 1px;" align=3D"lef=
t" color=3D"#b5c4df" size=3D"1">=0A<div><span><div style=3D"MARGIN: 10px; =
FONT-FAMILY: verdana; FONT-SIZE: 10pt"><div>huangql</div></div></span></di=
v><div>=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D<br>Comp=
uting center,the Institute of High Energy Physics, CAS, China<br>Qiulan Hu=
ang =
Tel: (+86) 10 8823 6087<br>P.O. Box 918-7 &nbs=
p; Fax: (+86) 10 8823 683=
9<br>Beijing 100049 P.R. China Em=
ail: huangql@ihep.ac.cn<br>=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D</div>=0A</body></html>
------=_001_NextPart458552873206_=------