[OpenAFS] How to replace pam_krb5 on RHEL 8 systems

Stephan Wonczak a0033@rrz.uni-koeln.de
Fri, 8 Jul 2022 14:35:27 +0200 (CEST)

  This message is in MIME format.  The first part should be readable text,
  while the remaining parts are likely unreadable without MIME-aware tools.

Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 8BIT

   Hi everyone!
   (Berthold's colleague here)

   We dug a little deeper and found the part in the pam_krb5-sources where 
it fails. It is in the file "minikafs.c" starting in line 775. It looks 
like the call to krb5_get_credentials() gets a non-zero return value, thus 
making it bail out.
   The problem is that we (well, at least me!) have no idea which enctype 
is expected, and which enctypes are actually tried. Debug output is not 
too helpful here. Any ideas on how to get useful information?
   (I should mention I am waaay out of depth here with my knowledge of 
Kerberos, and my C-fu is severely lacking, too ;-) )

   To be absolutley clear: We can ssh-login to the machine running this 
pam_krb.so-module, and get a valid krb5-ticket. No AFS-token after login, 
thus no access to AFS. If I do "klog.krb5", I -do- get an AFS-Token 
without any issues, and AFS-access starts working as it should.
   It's maddening that only pam_krb5 complains, while other tools work 
out of the box.

   Any advice would be greatly appreciated!


On Fri, 8 Jul 2022, Berthold Cogel wrote:

> Am 07.07.22 um 19:04 schrieb Dirk Heinrichs:
>>  Benjamin Kaduk:
>>>  Are you aware of pam_afs_session
>>>  (https://github.com/rra/pam-afs-session)? Without knowing more about
>>>  what you're using pam_krb5 for it's hard to make specific suggestions
>>>  about what alternatives might exist.
>>  BTW: pam_krb5 != pam_krb5. There are two different modules with the same
>>  name out there. The one shipped with RedHat family distributions comes
>>  with integrated AFS support, while the one shipped with Debian family
>>  distributions doesn't. That's the reason why Debian also ships
>>  pam_afs_session and RH does not.
>>  Bye...
>>       Dirk
> We're using the pam_krb5 shipped with Red Hat.
> I've rebuild the module from the RHEL 7 source rpm on RHEL 8. And it seems to 
> work.... for some value of working....
> Supported enctypes in our kdc:
> aes256-cts-hmac-sha1-96:normal des-cbc-crc:normal des:afs3
> We 'rekeyed' our AFS environment with aes256-cts-hmac-sha1-96:normal to get 
> connections from newer Ubuntu/Debian and Fedora 35 working.
> We get a krb5 ticket and a login, but getting the AFS token gives errors:
> "error obtaining credentials for 'afs/rrz.uni-koeln.de@RRZ.UNI-KOELN.DE' 
> (enctype=1) on behalf of ....: No credentials found with supported encryption 
> types"
> Same for two other enctypes.
> So something else changed in RHEL 8, which we haven't found yet.
> Regards
> Berthold
> _______________________________________________
> OpenAFS-info mailing list
> OpenAFS-info@openafs.org
> https://lists.openafs.org/mailman/listinfo/openafs-info

 	Dipl. Chem. Dr. Stephan Wonczak

         Regionales Rechenzentrum der Universitaet zu Koeln (RRZK)
         Universitaet zu Koeln, Weyertal 121, 50931 Koeln
         Tel: +49/(0)221/470-89583, Fax: +49/(0)221/470-89625