[OpenAFS] Ticket cache file permission incorrect of Openafs
Client in Scientific Linux 6
Benjamin Kaduk
kaduk@mit.edu
Wed, 31 Jul 2019 14:56:15 -0500
On Mon, Jul 29, 2019 at 12:47:35PM +0800, huangql wrote:
> Dear all,
>
> I'm stuck with the ticket cache file permission incorrect after users login farm with Pam module. In this case, users failed to run "kpasswd", "klist" command with the following error.
>
> kpasswd: Credentials cache permissions incorrect getting principal from ccache
That sounds like an issue at the Kerberos or PAM (configuration) layer;
asking on kerberos@mit.edu might be more likely to reach the right people.
-Ben
> klist: Credentials cache permissions incorrect while setting cache flags (ticket cache FILE:/tmp/krb5cc_60037_1BdT0m)
>
>
> I found the error caused by the incorrect permission of ticket file(all the personal ticket file with the root uid but right gid ).
>
> For example:
>
> -rw------- 1 root u07 469 Jul 29 10:00 /tmp/krb5cc_60037_1BdT0m
>
> And this issue happens in Scientific Linux 6 not in Scientific Linux 7.
>
> I attached the pam.d configuration:
>
>
> [root@lxslc613 ~]# vi /etc/pam.d/system-auth-ac
> #%PAM-1.0
> # This file is auto-generated.
> # User changes will be destroyed the next time authconfig is run.
> auth sufficient pam_krb5.so try_first_pass
> auth optional pam_afs_session.so program=/usr/bin/aklog
> auth required pam_env.so
> auth sufficient pam_fprintd.so
> auth requisite pam_succeed_if.so uid >= 500 quiet
> auth required pam_deny.so
>
> account sufficient pam_krb5.so
> account required pam_unix.so
> account sufficient pam_localuser.so
> account sufficient pam_succeed_if.so uid < 500 quiet
> account required pam_permit.so
>
> password sufficient pam_krb5.so use_first_pass
> password requisite pam_cracklib.so try_first_pass retry=3 type=
> password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok
> password required pam_deny.so
>
> session required pam_unix.so
> session optional pam_krb5.so
> session optional pam_afs_session.so program=/usr/bin/aklog
> session optional pam_keyinit.so revoke
> session required pam_limits.so
> session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
> ~
>
>
> [root@lxslc613 ~]# vi /etc/pam.d/password-auth-ac
> #%PAM-1.0
> # This file is auto-generated.
> # User changes will be destroyed the next time authconfig is run.
> auth sufficient pam_krb5.so try_first_pass
> auth optional pam_afs_session.so program=/usr/bin/aklog
>
> auth required pam_env.so
> auth sufficient pam_unix.so nullok try_first_pass
> auth requisite pam_succeed_if.so uid >= 500 quiet
> auth required pam_deny.so
>
> account sufficient pam_krb5.so
> account required pam_unix.so
> account sufficient pam_localuser.so
> account sufficient pam_succeed_if.so uid < 500 quiet
> account required pam_permit.so
>
> password requisite pam_cracklib.so try_first_pass retry=3 type=
> password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok
> password required pam_deny.so
>
> session optional pam_krb5.so
> session optional pam_afs_session.so program=/usr/bin/aklog
> session optional pam_keyinit.so revoke
> session required pam_limits.so
> session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
> session required pam_unix.so
>
>
> Does anyone know about this issue and give me some clues? Any suggestions would be greatly appreciated. Many thanks.
>
> Regards,
> Qiulan
>
>
> huangql
> ====================================================================
> Computing center,the Institute of High Energy Physics, CAS, China
> Qiulan Huang Tel: (+86) 10 8823 6087
> P.O. Box 918-7 Fax: (+86) 10 8823 6839
> Beijing 100049 P.R. China Email: huangql@ihep.ac.cn
> ===================================================================