[OpenAFS] How to replace pam_krb5 on RHEL 8 systems
Jeffrey E Altman
jaltman@auristor.com
Fri, 8 Jul 2022 10:02:27 -0400
This is a cryptographically signed message in MIME format.
--------------ms070703060906010200010408
Content-Type: multipart/alternative;
boundary="------------XSU0aNZ84zREIjxm6i05Icb6"
--------------XSU0aNZ84zREIjxm6i05Icb6
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 8bit
Sounds like the version of pam_krb5 you are attempting to build does not
include support for rxkad-kdf.
https://lists.openafs.org/pipermail/afs3-standardization/2013-July/002738.html
The version of pam_krb5 that supports rxkad-kdf contains a
minikafs_kd_derive() function at minikafs.c line 775.
See https://github.com/frozencemetery/pam_krb5.
As mentioned in my prior reply pam_krb5 should not be used in
conjunction with sssd.
Jeffrey Altman
On 7/8/2022 8:35 AM, Stephan Wonczak (a0033@rrz.uni-koeln.de) wrote:
> Hi everyone!
> (Berthold's colleague here)
>
> We dug a little deeper and found the part in the pam_krb5-sources
> where it fails. It is in the file "minikafs.c" starting in line 775.
> It looks like the call to krb5_get_credentials() gets a non-zero
> return value, thus making it bail out.
> The problem is that we (well, at least me!) have no idea which
> enctype is expected, and which enctypes are actually tried. Debug
> output is not too helpful here. Any ideas on how to get useful
> information?
> (I should mention I am waaay out of depth here with my knowledge of
> Kerberos, and my C-fu is severely lacking, too ;-) )
>
> To be absolutley clear: We can ssh-login to the machine running this
> pam_krb.so-module, and get a valid krb5-ticket. No AFS-token after
> login, thus no access to AFS. If I do "klog.krb5", I -do- get an
> AFS-Token without any issues, and AFS-access starts working as it should.
> It's maddening that only pam_krb5 complains, while other tools work
> out of the box.
>
> Any advice would be greatly appreciated!
>
> Stephan
>
> On Fri, 8 Jul 2022, Berthold Cogel wrote:
>
>> Am 07.07.22 um 19:04 schrieb Dirk Heinrichs:
>>> Benjamin Kaduk:
>>>
>>>> Are you aware of pam_afs_session
>>>> (https://github.com/rra/pam-afs-session)? Without knowing more about
>>>> what you're using pam_krb5 for it's hard to make specific suggestions
>>>> about what alternatives might exist.
>>>
>>> BTW: pam_krb5 != pam_krb5. There are two different modules with the
>>> same
>>> name out there. The one shipped with RedHat family distributions comes
>>> with integrated AFS support, while the one shipped with Debian family
>>> distributions doesn't. That's the reason why Debian also ships
>>> pam_afs_session and RH does not.
>>>
>>> Bye...
>>>
>>> Dirk
>>>
>>
>> We're using the pam_krb5 shipped with Red Hat.
>>
>> I've rebuild the module from the RHEL 7 source rpm on RHEL 8. And it
>> seems to work.... for some value of working....
>>
>> Supported enctypes in our kdc:
>> aes256-cts-hmac-sha1-96:normal des-cbc-crc:normal des:afs3
>>
>> We 'rekeyed' our AFS environment with aes256-cts-hmac-sha1-96:normal
>> to get connections from newer Ubuntu/Debian and Fedora 35 working.
>>
>> We get a krb5 ticket and a login, but getting the AFS token gives
>> errors:
>>
>> "error obtaining credentials for
>> 'afs/rrz.uni-koeln.de@RRZ.UNI-KOELN.DE' (enctype=1) on behalf of
>> ....: No credentials found with supported encryption types"
>>
>> Same for two other enctypes.
>>
>> So something else changed in RHEL 8, which we haven't found yet.
>>
>>
>> Regards
>> Berthold
>> _______________________________________________
>> OpenAFS-info mailing list
>> OpenAFS-info@openafs.org
>> https://lists.openafs.org/mailman/listinfo/openafs-info
>>
>
> Dipl. Chem. Dr. Stephan Wonczak
>
> Regionales Rechenzentrum der Universitaet zu Koeln (RRZK)
> Universitaet zu Koeln, Weyertal 121, 50931 Koeln
> Tel: +49/(0)221/470-89583, Fax: +49/(0)221/470-89625
--------------XSU0aNZ84zREIjxm6i05Icb6
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: 8bit
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
<p>Sounds like the version of pam_krb5 you are attempting to build
does not include support for rxkad-kdf.</p>
<p>
<a class="moz-txt-link-freetext" href="https://lists.openafs.org/pipermail/afs3-standardization/2013-July/002738.html">https://lists.openafs.org/pipermail/afs3-standardization/2013-July/002738.html</a></p>
<p>The version of pam_krb5 that supports rxkad-kdf contains a <span
class="pl-c1">minikafs_kd_derive() function at minikafs.c line
775.</span></p>
<p><span class="pl-c1">See
<a class="moz-txt-link-freetext" href="https://github.com/frozencemetery/pam_krb5">https://github.com/frozencemetery/pam_krb5</a>.</span></p>
<p><span class="pl-c1">As mentioned in my prior reply pam_krb5
should not be used in conjunction with sssd.</span></p>
<p><span class="pl-c1">Jeffrey Altman<br>
</span></p>
<div class="moz-cite-prefix">On 7/8/2022 8:35 AM, Stephan Wonczak
(<a class="moz-txt-link-abbreviated" href="mailto:a0033@rrz.uni-koeln.de">a0033@rrz.uni-koeln.de</a>) wrote:<br>
</div>
<blockquote type="cite"
cite="mid:72402bd4-1844-652a-99eb-5ffa86fe8de@rrz.uni-koeln.de">
Hi everyone!
<br>
(Berthold's colleague here)
<br>
<br>
We dug a little deeper and found the part in the
pam_krb5-sources where it fails. It is in the file "minikafs.c"
starting in line 775. It looks like the call to
krb5_get_credentials() gets a non-zero return value, thus making
it bail out.
<br>
The problem is that we (well, at least me!) have no idea which
enctype is expected, and which enctypes are actually tried. Debug
output is not too helpful here. Any ideas on how to get useful
information?
<br>
(I should mention I am waaay out of depth here with my knowledge
of Kerberos, and my C-fu is severely lacking, too ;-) )
<br>
<br>
To be absolutley clear: We can ssh-login to the machine running
this pam_krb.so-module, and get a valid krb5-ticket. No AFS-token
after login, thus no access to AFS. If I do "klog.krb5", I -do-
get an AFS-Token without any issues, and AFS-access starts working
as it should.
<br>
It's maddening that only pam_krb5 complains, while other tools
work out of the box.
<br>
<br>
Any advice would be greatly appreciated!
<br>
<br>
Stephan
<br>
<br>
On Fri, 8 Jul 2022, Berthold Cogel wrote:
<br>
<br>
<blockquote type="cite">Am 07.07.22 um 19:04 schrieb Dirk
Heinrichs:
<br>
<blockquote type="cite"> Benjamin Kaduk:
<br>
<br>
<blockquote type="cite"> Are you aware of pam_afs_session
<br>
(<a class="moz-txt-link-freetext" href="https://github.com/rra/pam-afs-session">https://github.com/rra/pam-afs-session</a>)? Without knowing
more about
<br>
what you're using pam_krb5 for it's hard to make specific
suggestions
<br>
about what alternatives might exist.
<br>
</blockquote>
<br>
BTW: pam_krb5 != pam_krb5. There are two different modules
with the same
<br>
name out there. The one shipped with RedHat family
distributions comes
<br>
with integrated AFS support, while the one shipped with
Debian family
<br>
distributions doesn't. That's the reason why Debian also
ships
<br>
pam_afs_session and RH does not.
<br>
<br>
Bye...
<br>
<br>
Dirk
<br>
<br>
</blockquote>
<br>
We're using the pam_krb5 shipped with Red Hat.
<br>
<br>
I've rebuild the module from the RHEL 7 source rpm on RHEL 8.
And it seems to work.... for some value of working....
<br>
<br>
Supported enctypes in our kdc:
<br>
aes256-cts-hmac-sha1-96:normal des-cbc-crc:normal des:afs3
<br>
<br>
We 'rekeyed' our AFS environment with
aes256-cts-hmac-sha1-96:normal to get connections from newer
Ubuntu/Debian and Fedora 35 working.
<br>
<br>
We get a krb5 ticket and a login, but getting the AFS token
gives errors:
<br>
<br>
"error obtaining credentials for
'<a class="moz-txt-link-abbreviated" href="mailto:afs/rrz.uni-koeln.de@RRZ.UNI-KOELN.DE">afs/rrz.uni-koeln.de@RRZ.UNI-KOELN.DE</a>' (enctype=1) on behalf of
....: No credentials found with supported encryption types"
<br>
<br>
Same for two other enctypes.
<br>
<br>
So something else changed in RHEL 8, which we haven't found yet.
<br>
<br>
<br>
Regards
<br>
Berthold
<br>
_______________________________________________
<br>
OpenAFS-info mailing list
<br>
<a class="moz-txt-link-abbreviated" href="mailto:OpenAFS-info@openafs.org">OpenAFS-info@openafs.org</a>
<br>
<a class="moz-txt-link-freetext" href="https://lists.openafs.org/mailman/listinfo/openafs-info">https://lists.openafs.org/mailman/listinfo/openafs-info</a>
<br>
<br>
</blockquote>
<br>
Dipl. Chem. Dr. Stephan Wonczak
<br>
<br>
Regionales Rechenzentrum der Universitaet zu Koeln (RRZK)
<br>
Universitaet zu Koeln, Weyertal 121, 50931 Koeln
<br>
Tel: +49/(0)221/470-89583, Fax: +49/(0)221/470-89625<br>
</blockquote>
</body>
</html>
--------------XSU0aNZ84zREIjxm6i05Icb6--
--------------ms070703060906010200010408
Content-Type: application/pkcs7-signature; name="smime.p7s"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="smime.p7s"
Content-Description: S/MIME Cryptographic Signature
MIAGCSqGSIb3DQEHAqCAMIACAQExDzANBglghkgBZQMEAgEFADCABgkqhkiG9w0BBwEAAKCC
DGswggXSMIIEuqADAgECAhBAAW0B1qVVQ32wvx2EXYU6MA0GCSqGSIb3DQEBCwUAMDoxCzAJ
BgNVBAYTAlVTMRIwEAYDVQQKEwlJZGVuVHJ1c3QxFzAVBgNVBAMTDlRydXN0SUQgQ0EgQTEy
MB4XDTE5MDkwNTE0MzE0N1oXDTIyMTEwMTE0MzE0N1owcDEvMC0GCgmSJomT8ixkAQETH0Ew
MTQxMEMwMDAwMDE2RDAxRDZBNTQwMDAwMDQ0NDcxGTAXBgNVBAMTEEplZmZyZXkgRSBBbHRt
YW4xFTATBgNVBAoTDEF1cmlTdG9yIEluYzELMAkGA1UEBhMCVVMwggEiMA0GCSqGSIb3DQEB
AQUAA4IBDwAwggEKAoIBAQCY1TC9QeWnUgEoJ81FcAVnhGn/AWuzvkYRUG5/ZyXDdaM212e8
ybCklgSmZweqNdrfaaHXk9vwjpvpD4YWgb07nJ1QBwlvRV/VPAaDdneIygJJWBCzaMVLttKO
0VimH/I/HUwFBQT2mrktucCEf2qogdi2P+p5nuhnhIUiyZ71Fo43gF6cuXIMV/1rBNIJDuwM
Q3H8zi6GL0p4mZFZDDKtbYq2l8+MNxFvMrYcLaJqejQNQRBuZVfv0Fq9pOGwNLAk19baIw3U
xdwx+bGpTtS63Py1/57MQ0W/ZXE/Ocnt1qoDLpJeZIuEBKgMcn5/iN9+Ro5zAuOBEKg34wBS
8QCTAgMBAAGjggKcMIICmDAOBgNVHQ8BAf8EBAMCBPAwgYQGCCsGAQUFBwEBBHgwdjAwBggr
BgEFBQcwAYYkaHR0cDovL2NvbW1lcmNpYWwub2NzcC5pZGVudHJ1c3QuY29tMEIGCCsGAQUF
BzAChjZodHRwOi8vdmFsaWRhdGlvbi5pZGVudHJ1c3QuY29tL2NlcnRzL3RydXN0aWRjYWEx
Mi5wN2MwHwYDVR0jBBgwFoAUpHPa72k1inXMoBl7CDL4a4nkQuwwCQYDVR0TBAIwADCCASsG
A1UdIASCASIwggEeMIIBGgYLYIZIAYb5LwAGAgEwggEJMEoGCCsGAQUFBwIBFj5odHRwczov
L3NlY3VyZS5pZGVudHJ1c3QuY29tL2NlcnRpZmljYXRlcy9wb2xpY3kvdHMvaW5kZXguaHRt
bDCBugYIKwYBBQUHAgIwga0MgapUaGlzIFRydXN0SUQgQ2VydGlmaWNhdGUgaGFzIGJlZW4g
aXNzdWVkIGluIGFjY29yZGFuY2Ugd2l0aCBJZGVuVHJ1c3QncyBUcnVzdElEIENlcnRpZmlj
YXRlIFBvbGljeSBmb3VuZCBhdCBodHRwczovL3NlY3VyZS5pZGVudHJ1c3QuY29tL2NlcnRp
ZmljYXRlcy9wb2xpY3kvdHMvaW5kZXguaHRtbDBFBgNVHR8EPjA8MDqgOKA2hjRodHRwOi8v
dmFsaWRhdGlvbi5pZGVudHJ1c3QuY29tL2NybC90cnVzdGlkY2FhMTIuY3JsMB8GA1UdEQQY
MBaBFGphbHRtYW5AYXVyaXN0b3IuY29tMB0GA1UdDgQWBBR7pHsvL4H5GdzNToI9e5BuzV19
bzAdBgNVHSUEFjAUBggrBgEFBQcDAgYIKwYBBQUHAwQwDQYJKoZIhvcNAQELBQADggEBAFlm
JYk4Ff1v/n0foZkv661W4LCRtroBaVykOXetrDDOQNK2N6JdTa146uIZVgBeU+S/0DLvJBKY
tkUHQ9ovjXJTsuCBmhIIw3YlHoFxbku0wHEpXMdFUHV3tUodFJJKF3MbC8j7dOMkag59/Mdz
Sjszdvit0av9nTxWs/tRKKtSQQlxtH34TouIke2UgP/Nn901QLOrJYJmtjzVz8DW3IYVxfci
SBHhbhJTdley5cuEzphELo5NR4gFjBNlxH7G57Hno9+EWILpx302FJMwTgodIBJbXLbPMHou
xQbOL2anOTUMKO8oH0QdQHCtC7hpgoQa7UJYJxDBI+PRaQ/HObkwggaRMIIEeaADAgECAhEA
+d5Wf8lNDHdw+WAbUtoVOzANBgkqhkiG9w0BAQsFADBKMQswCQYDVQQGEwJVUzESMBAGA1UE
ChMJSWRlblRydXN0MScwJQYDVQQDEx5JZGVuVHJ1c3QgQ29tbWVyY2lhbCBSb290IENBIDEw
HhcNMTUwMjE4MjIyNTE5WhcNMjMwMjE4MjIyNTE5WjA6MQswCQYDVQQGEwJVUzESMBAGA1UE
ChMJSWRlblRydXN0MRcwFQYDVQQDEw5UcnVzdElEIENBIEExMjCCASIwDQYJKoZIhvcNAQEB
BQADggEPADCCAQoCggEBANGRTTzPCic0kq5L6ZrUJWt5LE/n6tbPXPhGt2Egv7plJMoEpvVJ
JDqGqDYymaAsd8Hn9ZMAuKUEFdlx5PgCkfu7jL5zgiMNnAFVD9PyrsuF+poqmlxhlQ06sFY2
hbhQkVVQ00KCNgUzKcBUIvjv04w+fhNPkwGW5M7Ae5K5OGFGwOoRck9GG6MUVKvTNkBw2/vN
MOd29VGVTtR0tjH5PS5yDXss48Yl1P4hDStO2L4wTsW2P37QGD27//XGN8K6amWB6F2XOgff
/PmlQjQOORT95PmLkwwvma5nj0AS0CVp8kv0K2RHV7GonllKpFDMT0CkxMQKwoj+tWEWJTiD
KSsCAwEAAaOCAoAwggJ8MIGJBggrBgEFBQcBAQR9MHswMAYIKwYBBQUHMAGGJGh0dHA6Ly9j
b21tZXJjaWFsLm9jc3AuaWRlbnRydXN0LmNvbTBHBggrBgEFBQcwAoY7aHR0cDovL3ZhbGlk
YXRpb24uaWRlbnRydXN0LmNvbS9yb290cy9jb21tZXJjaWFscm9vdGNhMS5wN2MwHwYDVR0j
BBgwFoAU7UQZwNPwBovupHu+QucmVMiONnYwDwYDVR0TAQH/BAUwAwEB/zCCASAGA1UdIASC
ARcwggETMIIBDwYEVR0gADCCAQUwggEBBggrBgEFBQcCAjCB9DBFFj5odHRwczovL3NlY3Vy
ZS5pZGVudHJ1c3QuY29tL2NlcnRpZmljYXRlcy9wb2xpY3kvdHMvaW5kZXguaHRtbDADAgEB
GoGqVGhpcyBUcnVzdElEIENlcnRpZmljYXRlIGhhcyBiZWVuIGlzc3VlZCBpbiBhY2NvcmRh
bmNlIHdpdGggSWRlblRydXN0J3MgVHJ1c3RJRCBDZXJ0aWZpY2F0ZSBQb2xpY3kgZm91bmQg
YXQgaHR0cHM6Ly9zZWN1cmUuaWRlbnRydXN0LmNvbS9jZXJ0aWZpY2F0ZXMvcG9saWN5L3Rz
L2luZGV4Lmh0bWwwSgYDVR0fBEMwQTA/oD2gO4Y5aHR0cDovL3ZhbGlkYXRpb24uaWRlbnRy
dXN0LmNvbS9jcmwvY29tbWVyY2lhbHJvb3RjYTEuY3JsMB0GA1UdJQQWMBQGCCsGAQUFBwMC
BggrBgEFBQcDBDAOBgNVHQ8BAf8EBAMCAYYwHQYDVR0OBBYEFKRz2u9pNYp1zKAZewgy+GuJ
5ELsMA0GCSqGSIb3DQEBCwUAA4ICAQAN4YKu0vv062MZfg+xMSNUXYKvHwvZIk+6H1pUmivy
DI4I6A3wWzxlr83ZJm0oGIF6PBsbgKJ/fhyyIzb+vAYFJmyI8I/0mGlc+nIQNuV2XY8cypPo
VJKgpnzp/7cECXkX8R4NyPtEn8KecbNdGBdEaG4a7AkZ3ujlJofZqYdHxN29tZPdDlZ8fR36
/mAFeCEq0wOtOOc0Eyhs29+9MIZYjyxaPoTS+l8xLcuYX3RWlirRyH6RPfeAi5kySOEhG1qu
NHe06QIwpigjyFT6v/vRqoIBr7WpDOSt1VzXPVbSj1PcWBgkwyGKHlQUOuSbHbHcjOD8w8wH
SDbL+L2he8hNN54doy1e1wJHKmnfb0uBAeISoxRbJnMMWvgAlH5FVrQWlgajeH/6NbYbBSRx
ALuEOqEQepmJM6qz4oD2sxdq4GMN5adAdYEswkY/o0bRKyFXTD3mdqeRXce0jYQbWm7oapqS
ZBccFvUgYOrB78tB6c1bxIgaQKRShtWR1zMM0JfqUfD9u8Fg7G5SVO0IG/GcxkSvZeRjhYcb
TfqF2eAgprpyzLWmdr0mou3bv1Sq4OuBhmTQCnqxAXr4yVTRYHkp5lCvRgeJAme1OTVpVPth
/O7HJ7VuEP9GOr6kCXCXmjB4P3UJ2oU0NqfoQdcSSSt9hliALnExTEjii20B2nSDojGCAxQw
ggMQAgEBME4wOjELMAkGA1UEBhMCVVMxEjAQBgNVBAoTCUlkZW5UcnVzdDEXMBUGA1UEAxMO
VHJ1c3RJRCBDQSBBMTICEEABbQHWpVVDfbC/HYRdhTowDQYJYIZIAWUDBAIBBQCgggGXMBgG
CSqGSIb3DQEJAzELBgkqhkiG9w0BBwEwHAYJKoZIhvcNAQkFMQ8XDTIyMDcwODE0MDIyN1ow
LwYJKoZIhvcNAQkEMSIEII2KmE5Tc7dgwkYr1xBHANyeXdKQl0SWXhgzlyofTqjcMF0GCSsG
AQQBgjcQBDFQME4wOjELMAkGA1UEBhMCVVMxEjAQBgNVBAoTCUlkZW5UcnVzdDEXMBUGA1UE
AxMOVHJ1c3RJRCBDQSBBMTICEEABbQHWpVVDfbC/HYRdhTowXwYLKoZIhvcNAQkQAgsxUKBO
MDoxCzAJBgNVBAYTAlVTMRIwEAYDVQQKEwlJZGVuVHJ1c3QxFzAVBgNVBAMTDlRydXN0SUQg
Q0EgQTEyAhBAAW0B1qVVQ32wvx2EXYU6MGwGCSqGSIb3DQEJDzFfMF0wCwYJYIZIAWUDBAEq
MAsGCWCGSAFlAwQBAjAKBggqhkiG9w0DBzAOBggqhkiG9w0DAgICAIAwDQYIKoZIhvcNAwIC
AUAwBwYFKw4DAgcwDQYIKoZIhvcNAwICASgwDQYJKoZIhvcNAQEBBQAEggEASXiMu9jLHQrp
ryOT1oZy9HVUCGKK85nkGMFZzUYGsLPSY+RtY7C0V32haPNFwZqXHbF1DPNZO8M1jbYqBdkf
FYJmh99fn54ekoBCQ1cy1PU0wEI7m0ZDovZinaquCuAx6M5G9UeheTP27di4HF5podVBCuiK
UVSh2CAaUBCsqdfLWBCKpM6MNZlmdjR5z6lB3p9vZUHrBgMm4QmN+LhYwDg0eKEJ9fZxsa9e
WMjIAK8VZPiTwj8Moiqn/gLQwZlctEEVIMdyAXEyUFuwPgxISXe7tvTtzWEMb3+IAZmU8FKL
QkLeGKoMy1rPc+lPyqDvmJwWY3eLLNQntA1wjoGRBgAAAAAAAA==
--------------ms070703060906010200010408--