[OpenAFS] How to replace pam_krb5 on RHEL 8 systems
Ralf Brunckhorst
rbrunckhorst@sinenomine.net
Thu, 14 Jul 2022 17:04:04 +0200
--=_MailMate_19B395AB-C5FA-4E6E-BC4B-70E3CA07D30E_=
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: quoted-printable
Hi Stephan,
since Redhat has removed the support for DES/DES3 enctypes completely in =
RHEL8.3 (and newer) and your client is still using it (I can see it in =
your provided log: (enctype=3D1)|(enctype=3D2)|(enctype=3D3)) it will fai=
l.
RHEL8.3 and newer: completely removed support for DES and DES3 keys:
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/=
html/8.3_release_notes/rhel-8-3-0-release#deprecated-functionality_identi=
ty-management
Could you check your Master key on your Kerberos server via: kdb5_util =
list_mkeys
Maybe a re-key of the Master key is needed as well (if it is still on =
DES or DES3).
Regards,
-- =
Ralf Brunckhorst
rbrunckhorst@sinenomine.net
On 11 Jul 2022, at 10:30, Stephan Wonczak wrote:
> Hi Jeffrey,
> Thanks for having a look at the problem.
> However, I obviously did not do a very good job detailing exactly =
> what we did ... so here's my next try. Warning: It is going to be =
> lengthy :-)
>
> First off: We do not use SSSD. And we would like to keep it that =
> way, since it caused various massive problems in the past.
>
> On RHEL-7, everything works perfectly. We are using the =
> RedHat-supplied RPM of pam_krb5: pam_krb5-2.4.8-6.el7.x86_64
> Looking at the debug-output of the module, this is what the relevant =
> part looks like:
>
> Jul 8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: =
> pam_unix(sshd:session): session opened for user XXXX by (uid=3D0)
> Jul 8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: pam_krb5[3197]: =
> default/local realm 'RRZ.UNI-KOELN.DE'
> Jul 8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: pam_krb5[3197]: =
> configured realm 'RRZ.UNI-KOELN.DE'
> Jul 8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: pam_krb5[3197]: =
> flag: debug
> Jul 8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: pam_krb5[3197]: =
> flag: don't always_allow_localname
> Jul 8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: pam_krb5[3197]: =
> flag: no ignore_afs
> Jul 8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: pam_krb5[3197]: =
> flag: no null_afs
> Jul 8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: pam_krb5[3197]: =
> flag: no cred_session
> Jul 8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: pam_krb5[3197]: =
> flag: no ignore_k5login
> Jul 8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: pam_krb5[3197]: =
> flag: user_check
> Jul 8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: pam_krb5[3197]: =
> will try previously set password first
> Jul 8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: pam_krb5[3197]: =
> will ask for a password if that fails
> Jul 8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: pam_krb5[3197]: =
> will let libkrb5 ask questions
> Jul 8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: pam_krb5[3197]: =
> flag: use_shmem
> Jul 8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: pam_krb5[3197]: =
> flag: external
> Jul 8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: pam_krb5[3197]: =
> flag: no multiple_ccaches
> Jul 8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: pam_krb5[3197]: =
> flag: validate
> Jul 8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: pam_krb5[3197]: =
> flag: warn
> Jul 8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: pam_krb5[3197]: =
> banner: Kerberos 5
> Jul 8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: pam_krb5[3197]: =
> ccache dir: /tmp
> Jul 8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: pam_krb5[3197]: =
> ccname template: FILE:%d/krb5cc_%U_XXXXXX
> Jul 8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: pam_krb5[3197]: =
> keytab: FILE:/etc/krb5.keytab
> Jul 8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: pam_krb5[3197]: =
> token strategy: 2b
> Jul 8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: pam_krb5[3197]: =
> removing shared memory segment 3 creator pid 3197
> Jul 8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: pam_krb5[3197]: =
> cleanup function removing shared memory segment 3 belonging to process =
> 3197
> Jul 8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: pam_krb5[3197]: =
> obtaining afs tokens
> Jul 8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: pam_krb5[3197]: =
> creating new PAG
> Jul 8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: pam_krb5[3197]: =
> obtaining tokens for local cell 'rrz.uni-koeln.de'
> Jul 8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: pam_krb5[3197]: =
> trying with ticket (2b)
> Jul 8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: pam_krb5[3197]: =
> attempting to determine realm for "rrz.uni-koeln.de"
> Jul 8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: pam_krb5[3197]: =
> file server for "/afs/rrz.uni-koeln.de" is 134.95.67.97
> Jul 8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: pam_krb5[3197]: =
> file server for "/afs/rrz.uni-koeln.de" is 134.95.109.81
> Jul 8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: pam_krb5[3197]: =
> file server for "/afs/rrz.uni-koeln.de" is 134.95.109.75
> Jul 8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: pam_krb5[3197]: =
> file server for "/afs/rrz.uni-koeln.de" is 134.95.112.8
> Jul 8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: pam_krb5[3197]: =
> file server 134.95.67.97 has name afs.thp.uni-koeln.de
> Jul 8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: pam_krb5[3197]: =
> afs.thp.uni-koeln.de is in realm "RRZ.UNI-KOELN.DE"
> Jul 8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: pam_krb5[3197]: =
> attempting to obtain tokens for "rrz.uni-koeln.de" =
> ("afs/rrz.uni-koeln.de@RRZ.UNI-KOELN.DE")
> Jul 8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: pam_krb5[3197]: =
> got tokens for cell "rrz.uni-koeln.de"
> Jul 8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: pam_krb5[3197]: no =
> additional afs cells configured
>
>
> We then took the source PRM: pam_krb5-2.4.8-6.el7.src.rpm and did a =
> rebuild on a RHEL-8-Machine. This worked without any errors.
> However, when we try to use this to get a token, this happens:
>
> Jul 8 15:14:57 kicktest.rrz.uni-koeln.de sshd[2204130]: =
> pam_unix(sshd:session): session opened for user a0537 by (uid=3D0)
> Jul 8 15:14:57 kicktest.rrz.uni-koeln.de sshd[2204130]: =
> pam_krb5[2204130]: default/local realm 'RRZ.UNI-KOELN.DE'
> Jul 8 15:14:57 kicktest.rrz.uni-koeln.de sshd[2204130]: =
> pam_krb5[2204130]: configured realm 'RRZ.UNI-KOELN.DE'
> Jul 8 15:14:57 kicktest.rrz.uni-koeln.de sshd[2204130]: =
> pam_krb5[2204130]: flag: debug
> Jul 8 15:14:57 kicktest.rrz.uni-koeln.de sshd[2204130]: =
> pam_krb5[2204130]: flag: don't always_allow_localname
> Jul 8 15:14:57 kicktest.rrz.uni-koeln.de sshd[2204130]: =
> pam_krb5[2204130]: flag: no ignore_afs
> Jul 8 15:14:57 kicktest.rrz.uni-koeln.de sshd[2204130]: =
> pam_krb5[2204130]: flag: no null_afs
> Jul 8 15:14:57 kicktest.rrz.uni-koeln.de sshd[2204130]: =
> pam_krb5[2204130]: flag: no cred_session
> Jul 8 15:14:57 kicktest.rrz.uni-koeln.de sshd[2204130]: =
> pam_krb5[2204130]: flag: no ignore_k5login
> Jul 8 15:14:57 kicktest.rrz.uni-koeln.de sshd[2204130]: =
> pam_krb5[2204130]: flag: user_check
> Jul 8 15:14:57 kicktest.rrz.uni-koeln.de sshd[2204130]: =
> pam_krb5[2204130]: will try previously set password first
> Jul 8 15:14:57 kicktest.rrz.uni-koeln.de sshd[2204130]: =
> pam_krb5[2204130]: will ask for a password if that fails
> Jul 8 15:14:57 kicktest.rrz.uni-koeln.de sshd[2204130]: =
> pam_krb5[2204130]: will let libkrb5 ask questions
> Jul 8 15:14:57 kicktest.rrz.uni-koeln.de sshd[2204130]: =
> pam_krb5[2204130]: flag: use_shmem
> Jul 8 15:14:57 kicktest.rrz.uni-koeln.de sshd[2204130]: =
> pam_krb5[2204130]: flag: external
> Jul 8 15:14:57 kicktest.rrz.uni-koeln.de sshd[2204130]: =
> pam_krb5[2204130]: flag: no multiple_ccaches
> Jul 8 15:14:57 kicktest.rrz.uni-koeln.de sshd[2204130]: =
> pam_krb5[2204130]: flag: validate
> Jul 8 15:14:57 kicktest.rrz.uni-koeln.de sshd[2204130]: =
> pam_krb5[2204130]: flag: warn
> Jul 8 15:14:57 kicktest.rrz.uni-koeln.de sshd[2204130]: =
> pam_krb5[2204130]: banner: Kerberos 5
> Jul 8 15:14:57 kicktest.rrz.uni-koeln.de sshd[2204130]: =
> pam_krb5[2204130]: ccache dir: /tmp
> Jul 8 15:14:57 kicktest.rrz.uni-koeln.de sshd[2204130]: =
> pam_krb5[2204130]: ccname template: FILE:%d/krb5cc_%U_XXXXXX
> Jul 8 15:14:57 kicktest.rrz.uni-koeln.de sshd[2204130]: =
> pam_krb5[2204130]: keytab: FILE:/etc/krb5.keytab
> Jul 8 15:14:57 kicktest.rrz.uni-koeln.de sshd[2204130]: =
> pam_krb5[2204130]: token strategy: 2b
> Jul 8 15:14:57 kicktest.rrz.uni-koeln.de sshd[2204130]: =
> pam_krb5[2204130]: removing shared memory segment 29 creator pid =
> 2204130
> Jul 8 15:14:57 kicktest.rrz.uni-koeln.de sshd[2204130]: =
> pam_krb5[2204130]: cleanup function removing shared memory segment 29 =
> belonging to process 2204130
> Jul 8 15:14:57 kicktest.rrz.uni-koeln.de sshd[2204130]: =
> pam_krb5[2204130]: obtaining afs tokens
> Jul 8 15:14:57 kicktest.rrz.uni-koeln.de sshd[2204130]: =
> pam_krb5[2204130]: creating new PAG
> Jul 8 15:14:57 kicktest.rrz.uni-koeln.de sshd[2204130]: =
> pam_krb5[2204130]: obtaining tokens for local cell 'rrz.uni-koeln.de'
> Jul 8 15:14:57 kicktest.rrz.uni-koeln.de sshd[2204130]: =
> pam_krb5[2204130]: trying with ticket (2b)
> Jul 8 15:14:57 kicktest.rrz.uni-koeln.de sshd[2204130]: =
> pam_krb5[2204130]: attempting to determine realm for =
> "rrz.uni-koeln.de"
> Jul 8 15:14:57 kicktest.rrz.uni-koeln.de sshd[2204130]: =
> pam_krb5[2204130]: file server for "/afs/rrz.uni-koeln.de" is =
> 134.95.67.97
> Jul 8 15:14:57 kicktest.rrz.uni-koeln.de sshd[2204130]: =
> pam_krb5[2204130]: file server for "/afs/rrz.uni-koeln.de" is =
> 134.95.112.8
> Jul 8 15:14:57 kicktest.rrz.uni-koeln.de sshd[2204130]: =
> pam_krb5[2204130]: file server for "/afs/rrz.uni-koeln.de" is =
> 134.95.109.81
> Jul 8 15:14:57 kicktest.rrz.uni-koeln.de sshd[2204130]: =
> pam_krb5[2204130]: file server for "/afs/rrz.uni-koeln.de" is =
> 134.95.109.75
> Jul 8 15:14:57 kicktest.rrz.uni-koeln.de sshd[2204130]: =
> pam_krb5[2204130]: file server 134.95.67.97 has name =
> afs.thp.uni-koeln.de
> Jul 8 15:14:57 kicktest.rrz.uni-koeln.de sshd[2204130]: =
> pam_krb5[2204130]: afs.thp.uni-koeln.de is in realm "RRZ.UNI-KOELN.DE"
> Jul 8 15:14:57 kicktest.rrz.uni-koeln.de sshd[2204130]: =
> pam_krb5[2204130]: attempting to obtain tokens for "rrz.uni-koeln.de" =
> ("afs/rrz.uni-koeln.de@RRZ.UNI-KOELN.DE")
> Jul 8 15:14:57 kicktest.rrz.uni-koeln.de sshd[2204130]: =
> pam_krb5[2204130]: error obtaining credentials for =
> 'afs/rrz.uni-koeln.de@RRZ.UNI-KOELN.DE' (enctype=3D1) on behalf of =
> 'a0537@RRZ.UNI-KOELN.DE': No credentia
> ls found with supported encryption types
> Jul 8 15:14:57 kicktest.rrz.uni-koeln.de sshd[2204130]: =
> pam_krb5[2204130]: error obtaining credentials for =
> 'afs/rrz.uni-koeln.de@RRZ.UNI-KOELN.DE' (enctype=3D2) on behalf of =
> 'a0537@RRZ.UNI-KOELN.DE': No credentia
> ls found with supported encryption types
> Jul 8 15:14:57 kicktest.rrz.uni-koeln.de sshd[2204130]: =
> pam_krb5[2204130]: error obtaining credentials for =
> 'afs/rrz.uni-koeln.de@RRZ.UNI-KOELN.DE' (enctype=3D3) on behalf of =
> 'a0537@RRZ.UNI-KOELN.DE': No credentia
> ls found with supported encryption types
> Jul 8 15:14:57 kicktest.rrz.uni-koeln.de sshd[2204130]: =
> pam_krb5[2204130]: attempting to obtain tokens for "rrz.uni-koeln.de" =
> ("afs@RRZ.UNI-KOELN.DE")
> Jul 8 15:14:57 kicktest.rrz.uni-koeln.de sshd[2204130]: =
> pam_krb5[2204130]: error obtaining credentials for =
> 'afs@RRZ.UNI-KOELN.DE' (enctype=3D1) on behalf of =
> 'a0537@RRZ.UNI-KOELN.DE': No credentials found with supported =
> encryption types
> Jul 8 15:14:57 kicktest.rrz.uni-koeln.de sshd[2204130]: =
> pam_krb5[2204130]: error obtaining credentials for =
> 'afs@RRZ.UNI-KOELN.DE' (enctype=3D2) on behalf of =
> 'a0537@RRZ.UNI-KOELN.DE': No credentials found with supported =
> encryption types
> Jul 8 15:14:57 kicktest.rrz.uni-koeln.de sshd[2204130]: =
> pam_krb5[2204130]: error obtaining credentials for =
> 'afs@RRZ.UNI-KOELN.DE' (enctype=3D3) on behalf of =
> 'a0537@RRZ.UNI-KOELN.DE': No credentials found with supported =
> encryption types
> Jul 8 15:14:57 kicktest.rrz.uni-koeln.de sshd[2204130]: =
> pam_krb5[2204130]: attempting to obtain tokens for "rrz.uni-koeln.de" =
> ("afsx/rrz.uni-koeln.de@RRZ.UNI-KOELN.DE")
> Jul 8 15:14:57 kicktest.rrz.uni-koeln.de sshd[2204130]: =
> pam_krb5[2204130]: error obtaining credentials for =
> 'afsx/rrz.uni-koeln.de@RRZ.UNI-KOELN.DE' (enctype=3D1) on behalf of =
> 'a0537@RRZ.UNI-KOELN.DE': No credentials found with supported =
> encryption types
> Jul 8 15:14:57 kicktest.rrz.uni-koeln.de sshd[2204130]: =
> pam_krb5[2204130]: error obtaining credentials for =
> 'afsx/rrz.uni-koeln.de@RRZ.UNI-KOELN.DE' (enctype=3D2) on behalf of =
> 'a0537@RRZ.UNI-KOELN.DE': No credentials found with supported =
> encryption types
> Jul 8 15:14:57 kicktest.rrz.uni-koeln.de sshd[2204130]: =
> pam_krb5[2204130]: error obtaining credentials for =
> 'afsx/rrz.uni-koeln.de@RRZ.UNI-KOELN.DE' (enctype=3D3) on behalf of =
> 'a0537@RRZ.UNI-KOELN.DE': No credentials found with supported =
> encryption types
> Jul 8 15:14:57 kicktest.rrz.uni-koeln.de sshd[2204130]: =
> pam_krb5[2204130]: attempting to obtain tokens for "rrz.uni-koeln.de" =
> ("afsx@RRZ.UNI-KOELN.DE")
> Jul 8 15:14:57 kicktest.rrz.uni-koeln.de sshd[2204130]: =
> pam_krb5[2204130]: error obtaining credentials for =
> 'afsx@RRZ.UNI-KOELN.DE' (enctype=3D1) on behalf of =
> 'a0537@RRZ.UNI-KOELN.DE': No credentials found with supported =
> encryption types
> Jul 8 15:14:57 kicktest.rrz.uni-koeln.de sshd[2204130]: =
> pam_krb5[2204130]: error obtaining credentials for =
> 'afsx@RRZ.UNI-KOELN.DE' (enctype=3D2) on behalf of =
> 'a0537@RRZ.UNI-KOELN.DE': No credentials found with supported =
> encryption types
> Jul 8 15:14:57 kicktest.rrz.uni-koeln.de sshd[2204130]: =
> pam_krb5[2204130]: error obtaining credentials for =
> 'afsx@RRZ.UNI-KOELN.DE' (enctype=3D3) on behalf of =
> 'a0537@RRZ.UNI-KOELN.DE': No credentials found with supported =
> encryption types
> Jul 8 15:14:57 kicktest.rrz.uni-koeln.de sshd[2204130]: =
> pam_krb5[2204130]: afslog (2b) failed to "rrz.uni-koeln.de"
> Jul 8 15:14:57 kicktest.rrz.uni-koeln.de sshd[2204130]: =
> pam_krb5[2204130]: got error -1 (Unknown code ____ 255) while =
> obtaining tokens for rrz.uni-koeln.de
> Jul 8 15:14:57 kicktest.rrz.uni-koeln.de sshd[2204130]: =
> pam_krb5[2204130]: no additional afs cells configured
>
> To reiterate: We get both kerberos ticket and AFS-Token on RHEL-7. =
> On RHEL-8, we still get a valid kerberos ticket, but getting the =
> AFS-Token fails. It -is- possible, however, to get a valid AFS-Token =
> by klog.krb5. So -in principle- everything is in place to have this =
> done by pam_afs.
> The problem is: I have no way to determine why it is complaining =
> about "no supported encryption types" when other tools have no =
> problems at all!
>
> Additional infO. Yes, we did rekey our AFS-cell quite a while ago, =
> and our afs-Principal has two keys:
>
> kadmin.local: getprinc afs/rrz.uni-koeln.de
> Principal: afs/rrz.uni-koeln.de@RRZ.UNI-KOELN.DE
> <snip>
> Anzahl der Schl=C3=BCssel: 2
> Key: vno 5, aes256-cts-hmac-sha1-96
> Key: vno 4, des-cbc-crc
> MKey: vno 1
> Attribute: REQUIRES_PRE_AUTH
> Richtlinie: [keins]
>
> Our users have three:
>
> kadmin.local: getprinc XXXX
> Principal: XXXX@RRZ.UNI-KOELN.DE
> <snip>
> Anzahl der Schl=C3=BCssel: 3
> Key: vno 2, aes256-cts-hmac-sha1-96
> Key: vno 2, des-cbc-crc
> Key: vno 2, des-cbc-md5:afs3
> MKey: vno 1
> Attribute: REQUIRES_PRE_AUTH
> Richtlinie: [keins]
>
> Like I said before, I looked at the sources of our version of =
> pam_krb5, and the part where it is failing starts at line 775 inside =
> the function "minikafs_5log_with_principal" (I'll attach the =
> minikafs.c to this mail for reference)
>
> /* Try to obtain a suitable credential. */
> for (i =3D 0; i < n_etypes; i++) {
> memset(&mcreds, 0, sizeof(mcreds));
> mcreds.client =3D client;
> mcreds.server =3D server;
> if (etypes !=3D NULL) {
> v5_creds_set_etype(ctx, &mcreds, etypes[i]);
> }
> new_creds =3D NULL;
> tmp =3D krb5_get_credentials(ctx, 0, ccache,
> &mcreds, &new_creds);
> if (tmp =3D=3D 0) {
> if (use_rxk5 &&
> (minikafs_5settoken2(cell, new_creds, uid) =
> =3D=3D 0)) {
> krb5_free_creds(ctx, new_creds);
> v5_free_unparsed_name(ctx, =
> unparsed_client);
> krb5_free_principal(ctx, client);
> krb5_free_principal(ctx, server);
> return 0;
> } else
> if (use_v5_2b &&
> (minikafs_5settoken(cell, new_creds, uid) =
> =3D=3D 0)) {
> krb5_free_creds(ctx, new_creds);
> v5_free_unparsed_name(ctx, =
> unparsed_client);
> krb5_free_principal(ctx, client);
> krb5_free_principal(ctx, server);
> return 0;
> }
> krb5_free_creds(ctx, new_creds);
> } else {
> if (options->debug) {
> if (etypes !=3D NULL) {
> debug("error obtaining =
> credentials for "
> "'%s' (enctype=3D%d) on =
> behalf of "
> "'%s': %s",
> principal, etypes[i],
> unparsed_client,
> v5_error_message(tmp));
> } else {
> debug("error obtaining =
> credentials for "
> "'%s' on behalf of "
> "'%s': %s",
> principal,
> unparsed_client,
> v5_error_message(tmp));
> }
> }
> }
> }
>
> v5_free_unparsed_name(ctx, unparsed_client);
> krb5_free_principal(ctx, client);
> krb5_free_principal(ctx, server);
>
> If you or anyone else has any ideas how to tackle the problem, any =
> help would be greatly appreciated.
>
> Cheers from Cologne,
> Stephan Wonczak
>
>
> On Fri, 8 Jul 2022, Jeffrey E Altman wrote:
>
>>
>> Sounds like the version of pam_krb5 you are attempting to build does =
>> not
>> include support for rxkad-kdf.
>>
>> =C2=A0https://lists.openafs.org/pipermail/afs3-standardization/2013-Ju=
ly/002738.h
>> tml
>>
>> The version of pam_krb5 that supports rxkad-kdf contains a
>> minikafs_kd_derive() function at minikafs.c line 775.
>>
>> See https://github.com/frozencemetery/pam_krb5.
>>
>> As mentioned in my prior reply pam_krb5 should not be used in =
>> conjunction
>> with sssd.
>>
>> Jeffrey Altman
>>
>> On 7/8/2022 8:35 AM, Stephan Wonczak (a0033@rrz.uni-koeln.de) wrote:
>> =C2=A0 Hi everyone!
>> =C2=A0 (Berthold's colleague here)
>>
>> =C2=A0 We dug a little deeper and found the part in the
>> pam_krb5-sources where it fails. It is in the file "minikafs.c"
>> starting in line 775. It looks like the call to
>> krb5_get_credentials() gets a non-zero return value, thus =
>> making
>> it bail out.
>> =C2=A0 The problem is that we (well, at least me!) have no idea =
>> which
>> enctype is expected, and which enctypes are actually tried.
>> Debug output is not too helpful here. Any ideas on how to get
>> useful information?
>> =C2=A0 (I should mention I am waaay out of depth here with my
>> knowledge of Kerberos, and my C-fu is severely lacking, too ;-)
>> )
>>
>> =C2=A0 To be absolutley clear: We can ssh-login to the machine
>> running this pam_krb.so-module, and get a valid krb5-ticket. No
>> AFS-token after login, thus no access to AFS. If I do
>> "klog.krb5", I -do- get an AFS-Token without any issues, and
>> AFS-access starts working as it should.
>> =C2=A0 It's maddening that only pam_krb5 complains, while other =
>> tools
>> work out of the box.
>>
>> =C2=A0 Any advice would be greatly appreciated!
>>
>> =C2=A0 Stephan
>>
>> On Fri, 8 Jul 2022, Berthold Cogel wrote:
>>
>> Am 07.07.22 um 19:04 schrieb Dirk Heinrichs:
>> =C2=A0Benjamin Kaduk:
>>
>> =C2=A0Are you aware of
>> pam_afs_session
>> =C2=A0(https://github.com/rra/pam-afs-session)=
?
>> Without knowing more about
>> =C2=A0what you're using pam_krb5
>> for it's hard to make
>> specific suggestions
>> =C2=A0about what alternatives
>> might exist.
>>
>>
>> =C2=A0BTW: pam_krb5 !=3D pam_krb5. There are
>> two different modules with the same
>> =C2=A0name out there. The one shipped with
>> RedHat family distributions comes
>> =C2=A0with integrated AFS support, while the
>> one shipped with Debian family
>> =C2=A0distributions doesn't. That's the
>> reason why Debian also ships
>> =C2=A0pam_afs_session and RH does not.
>>
>> =C2=A0Bye...
>>
>> =C2=A0 =C2=A0=C2=A0=C2=A0 Dirk
>>
>>
>> We're using the pam_krb5 shipped with Red Hat.
>>
>> I've rebuild the module from the RHEL 7 source rpm
>> on RHEL 8. And it seems to work.... for some value
>> of working....
>>
>> Supported enctypes in our kdc:
>> aes256-cts-hmac-sha1-96:normal des-cbc-crc:normal
>> des:afs3
>>
>> We 'rekeyed' our AFS environment with
>> aes256-cts-hmac-sha1-96:normal to get connections
>> from newer Ubuntu/Debian and Fedora 35 working.
>>
>> We get a krb5 ticket and a login, but getting the
>> AFS token gives errors:
>>
>> "error obtaining credentials for
>> 'afs/rrz.uni-koeln.de@RRZ.UNI-KOELN.DE' (enctype=3D1)
>> on behalf of ....: No credentials found with
>> supported encryption types"
>>
>> Same for two other enctypes.
>>
>> So something else changed in RHEL 8, which we
>> haven't found yet.
>>
>>
>> Regards
>> Berthold
>> _______________________________________________
>> OpenAFS-info mailing list
>> OpenAFS-info@openafs.org
>> https://lists.openafs.org/mailman/listinfo/openafs-info
>>
>>
>> =C2=A0=C2=A0=C2=A0=C2=A0Dipl. Chem. Dr. Stephan Wonczak
>>
>> =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 Regionales Rechenzent=
rum der Universitaet zu =
>> Koeln
>> (RRZK)
>> =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 Universitaet zu Koeln=
, Weyertal 121, 50931 Koeln
>> =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 Tel: +49/(0)221/470-8=
9583, Fax: =
>> +49/(0)221/470-89625
>>
>>
>>
>
> Dipl. Chem. Dr. Stephan Wonczak
>
> Regionales Rechenzentrum der Universitaet zu Koeln (RRZK)
> Universitaet zu Koeln, Weyertal 121, 50931 Koeln
> Tel: +49/(0)221/470-89583, Fax: +49/(0)221/470-89625
--=_MailMate_19B395AB-C5FA-4E6E-BC4B-70E3CA07D30E_=
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
<!DOCTYPE html>
<html>
<head>
<meta http-equiv=3D"Content-Type" content=3D"text/xhtml; charset=3Dutf-8"=
>
</head>
<body><div style=3D"font-family: sans-serif;"><div class=3D"markdown" sty=
le=3D"white-space: normal;">
<p dir=3D"auto">Hi Stephan,</p>
<p dir=3D"auto">since Redhat has removed the support for DES/DES3 enctype=
s completely in RHEL8.3 (and newer) and your client is still using it (I =
can see it in your provided log: (enctype=3D1)|(enctype=3D2)|(enctype=3D3=
)) it will fail.</p>
<p dir=3D"auto">RHEL8.3 and newer: completely removed support for DES and=
DES3 keys:<br>
<a href=3D"https://access.redhat.com/documentation/en-us/red_hat_enterpri=
se_linux/8/html/8.3_release_notes/rhel-8-3-0-release#deprecated-functiona=
lity_identity-management">https://access.redhat.com/documentation/en-us/r=
ed_hat_enterprise_linux/8/html/8.3_release_notes/rhel-8-3-0-release#depre=
cated-functionality_identity-management</a></p>
<p dir=3D"auto">Could you check your Master key on your Kerberos server v=
ia: kdb5_util list_mkeys<br>
Maybe a re-key of the Master key is needed as well (if it is still on DES=
or DES3).</p>
<p dir=3D"auto">Regards,</p>
<p dir=3D"auto">--<br>
Ralf Brunckhorst<br>
<a href=3D"mailto:rbrunckhorst@sinenomine.net">rbrunckhorst@sinenomine.ne=
t</a></p>
<p dir=3D"auto">On 11 Jul 2022, at 10:30, Stephan Wonczak wrote:</p>
</div><div class=3D"plaintext" style=3D"white-space: normal;"><blockquote=
style=3D"margin: 0 0 5px; padding-left: 5px; border-left: 2px solid #136=
BCE; color: #136BCE;"><p dir=3D"auto"> Hi Jeffrey,
<br>
Thanks for having a look at the problem.
<br>
However, I obviously did not do a very good job detailing exactly what =
we did ... so here's my next try. Warning: It is going to be lengthy :-)<=
/p>
<p dir=3D"auto"> First off: We do not use SSSD. And we would like to kee=
p it that way, since it caused various massive problems in the past.</p>
<p dir=3D"auto"> On RHEL-7, everything works perfectly. We are using the=
RedHat-supplied RPM of pam_krb5: pam_krb5-2.4.8-6.el7.x86_64
<br>
Looking at the debug-output of the module, this is what the relevant par=
t looks like:</p>
<p dir=3D"auto">Jul 8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: pam_u=
nix(sshd:session): session opened for user XXXX by (uid=3D0)
<br>
Jul 8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: pam_krb5[3197]: defau=
lt/local realm 'RRZ.UNI-KOELN.DE'
<br>
Jul 8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: pam_krb5[3197]: confi=
gured realm 'RRZ.UNI-KOELN.DE'
<br>
Jul 8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: pam_krb5[3197]: flag:=
debug
<br>
Jul 8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: pam_krb5[3197]: flag:=
don't always_allow_localname
<br>
Jul 8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: pam_krb5[3197]: flag:=
no ignore_afs
<br>
Jul 8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: pam_krb5[3197]: flag:=
no null_afs
<br>
Jul 8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: pam_krb5[3197]: flag:=
no cred_session
<br>
Jul 8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: pam_krb5[3197]: flag:=
no ignore_k5login
<br>
Jul 8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: pam_krb5[3197]: flag:=
user_check
<br>
Jul 8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: pam_krb5[3197]: will =
try previously set password first
<br>
Jul 8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: pam_krb5[3197]: will =
ask for a password if that fails
<br>
Jul 8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: pam_krb5[3197]: will =
let libkrb5 ask questions
<br>
Jul 8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: pam_krb5[3197]: flag:=
use_shmem
<br>
Jul 8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: pam_krb5[3197]: flag:=
external
<br>
Jul 8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: pam_krb5[3197]: flag:=
no multiple_ccaches
<br>
Jul 8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: pam_krb5[3197]: flag:=
validate
<br>
Jul 8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: pam_krb5[3197]: flag:=
warn
<br>
Jul 8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: pam_krb5[3197]: banne=
r: Kerberos 5
<br>
Jul 8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: pam_krb5[3197]: ccach=
e dir: /tmp
<br>
Jul 8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: pam_krb5[3197]: ccnam=
e template: FILE:%d/krb5cc_%U_XXXXXX
<br>
Jul 8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: pam_krb5[3197]: keyta=
b: FILE:/etc/krb5.keytab
<br>
Jul 8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: pam_krb5[3197]: token=
strategy: 2b
<br>
Jul 8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: pam_krb5[3197]: remov=
ing shared memory segment 3 creator pid 3197
<br>
Jul 8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: pam_krb5[3197]: clean=
up function removing shared memory segment 3 belonging to process 3197
<br>
Jul 8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: pam_krb5[3197]: obtai=
ning afs tokens
<br>
Jul 8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: pam_krb5[3197]: creat=
ing new PAG
<br>
Jul 8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: pam_krb5[3197]: obtai=
ning tokens for local cell 'rrz.uni-koeln.de'
<br>
Jul 8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: pam_krb5[3197]: tryin=
g with ticket (2b)
<br>
Jul 8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: pam_krb5[3197]: attem=
pting to determine realm for "rrz.uni-koeln.de"
<br>
Jul 8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: pam_krb5[3197]: file =
server for "/afs/rrz.uni-koeln.de" is 134.95.67.97
<br>
Jul 8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: pam_krb5[3197]: file =
server for "/afs/rrz.uni-koeln.de" is 134.95.109.81
<br>
Jul 8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: pam_krb5[3197]: file =
server for "/afs/rrz.uni-koeln.de" is 134.95.109.75
<br>
Jul 8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: pam_krb5[3197]: file =
server for "/afs/rrz.uni-koeln.de" is 134.95.112.8
<br>
Jul 8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: pam_krb5[3197]: file =
server 134.95.67.97 has name afs.thp.uni-koeln.de
<br>
Jul 8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: pam_krb5[3197]: afs.t=
hp.uni-koeln.de is in realm "RRZ.UNI-KOELN.DE"
<br>
Jul 8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: pam_krb5[3197]: attem=
pting to obtain tokens for "rrz.uni-koeln.de" ("afs/rrz.uni-koeln.de@RRZ.=
UNI-KOELN.DE")
<br>
Jul 8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: pam_krb5[3197]: got t=
okens for cell "rrz.uni-koeln.de"
<br>
Jul 8 10:26:51 cftest.rrz.uni-koeln.de sshd[3197]: pam_krb5[3197]: no ad=
ditional afs cells configured</p>
<p dir=3D"auto"> We then took the source PRM: pam_krb5-2.4.8-6.el7.src.r=
pm and did a rebuild on a RHEL-8-Machine. This worked without any errors.=
<br>
However, when we try to use this to get a token, this happens:</p>
<p dir=3D"auto">Jul 8 15:14:57 kicktest.rrz.uni-koeln.de sshd[2204130]: =
pam_unix(sshd:session): session opened for user a0537 by (uid=3D0)
<br>
Jul 8 15:14:57 kicktest.rrz.uni-koeln.de sshd[2204130]: pam_krb5[2204130=
]: default/local realm 'RRZ.UNI-KOELN.DE'
<br>
Jul 8 15:14:57 kicktest.rrz.uni-koeln.de sshd[2204130]: pam_krb5[2204130=
]: configured realm 'RRZ.UNI-KOELN.DE'
<br>
Jul 8 15:14:57 kicktest.rrz.uni-koeln.de sshd[2204130]: pam_krb5[2204130=
]: flag: debug
<br>
Jul 8 15:14:57 kicktest.rrz.uni-koeln.de sshd[2204130]: pam_krb5[2204130=
]: flag: don't always_allow_localname
<br>
Jul 8 15:14:57 kicktest.rrz.uni-koeln.de sshd[2204130]: pam_krb5[2204130=
]: flag: no ignore_afs
<br>
Jul 8 15:14:57 kicktest.rrz.uni-koeln.de sshd[2204130]: pam_krb5[2204130=
]: flag: no null_afs
<br>
Jul 8 15:14:57 kicktest.rrz.uni-koeln.de sshd[2204130]: pam_krb5[2204130=
]: flag: no cred_session
<br>
Jul 8 15:14:57 kicktest.rrz.uni-koeln.de sshd[2204130]: pam_krb5[2204130=
]: flag: no ignore_k5login
<br>
Jul 8 15:14:57 kicktest.rrz.uni-koeln.de sshd[2204130]: pam_krb5[2204130=
]: flag: user_check
<br>
Jul 8 15:14:57 kicktest.rrz.uni-koeln.de sshd[2204130]: pam_krb5[2204130=
]: will try previously set password first
<br>
Jul 8 15:14:57 kicktest.rrz.uni-koeln.de sshd[2204130]: pam_krb5[2204130=
]: will ask for a password if that fails
<br>
Jul 8 15:14:57 kicktest.rrz.uni-koeln.de sshd[2204130]: pam_krb5[2204130=
]: will let libkrb5 ask questions
<br>
Jul 8 15:14:57 kicktest.rrz.uni-koeln.de sshd[2204130]: pam_krb5[2204130=
]: flag: use_shmem
<br>
Jul 8 15:14:57 kicktest.rrz.uni-koeln.de sshd[2204130]: pam_krb5[2204130=
]: flag: external
<br>
Jul 8 15:14:57 kicktest.rrz.uni-koeln.de sshd[2204130]: pam_krb5[2204130=
]: flag: no multiple_ccaches
<br>
Jul 8 15:14:57 kicktest.rrz.uni-koeln.de sshd[2204130]: pam_krb5[2204130=
]: flag: validate
<br>
Jul 8 15:14:57 kicktest.rrz.uni-koeln.de sshd[2204130]: pam_krb5[2204130=
]: flag: warn
<br>
Jul 8 15:14:57 kicktest.rrz.uni-koeln.de sshd[2204130]: pam_krb5[2204130=
]: banner: Kerberos 5
<br>
Jul 8 15:14:57 kicktest.rrz.uni-koeln.de sshd[2204130]: pam_krb5[2204130=
]: ccache dir: /tmp
<br>
Jul 8 15:14:57 kicktest.rrz.uni-koeln.de sshd[2204130]: pam_krb5[2204130=
]: ccname template: FILE:%d/krb5cc_%U_XXXXXX
<br>
Jul 8 15:14:57 kicktest.rrz.uni-koeln.de sshd[2204130]: pam_krb5[2204130=
]: keytab: FILE:/etc/krb5.keytab
<br>
Jul 8 15:14:57 kicktest.rrz.uni-koeln.de sshd[2204130]: pam_krb5[2204130=
]: token strategy: 2b
<br>
Jul 8 15:14:57 kicktest.rrz.uni-koeln.de sshd[2204130]: pam_krb5[2204130=
]: removing shared memory segment 29 creator pid 2204130
<br>
Jul 8 15:14:57 kicktest.rrz.uni-koeln.de sshd[2204130]: pam_krb5[2204130=
]: cleanup function removing shared memory segment 29 belonging to proces=
s 2204130
<br>
Jul 8 15:14:57 kicktest.rrz.uni-koeln.de sshd[2204130]: pam_krb5[2204130=
]: obtaining afs tokens
<br>
Jul 8 15:14:57 kicktest.rrz.uni-koeln.de sshd[2204130]: pam_krb5[2204130=
]: creating new PAG
<br>
Jul 8 15:14:57 kicktest.rrz.uni-koeln.de sshd[2204130]: pam_krb5[2204130=
]: obtaining tokens for local cell 'rrz.uni-koeln.de'
<br>
Jul 8 15:14:57 kicktest.rrz.uni-koeln.de sshd[2204130]: pam_krb5[2204130=
]: trying with ticket (2b)
<br>
Jul 8 15:14:57 kicktest.rrz.uni-koeln.de sshd[2204130]: pam_krb5[2204130=
]: attempting to determine realm for "rrz.uni-koeln.de"
<br>
Jul 8 15:14:57 kicktest.rrz.uni-koeln.de sshd[2204130]: pam_krb5[2204130=
]: file server for "/afs/rrz.uni-koeln.de" is 134.95.67.97
<br>
Jul 8 15:14:57 kicktest.rrz.uni-koeln.de sshd[2204130]: pam_krb5[2204130=
]: file server for "/afs/rrz.uni-koeln.de" is 134.95.112.8
<br>
Jul 8 15:14:57 kicktest.rrz.uni-koeln.de sshd[2204130]: pam_krb5[2204130=
]: file server for "/afs/rrz.uni-koeln.de" is 134.95.109.81
<br>
Jul 8 15:14:57 kicktest.rrz.uni-koeln.de sshd[2204130]: pam_krb5[2204130=
]: file server for "/afs/rrz.uni-koeln.de" is 134.95.109.75
<br>
Jul 8 15:14:57 kicktest.rrz.uni-koeln.de sshd[2204130]: pam_krb5[2204130=
]: file server 134.95.67.97 has name afs.thp.uni-koeln.de
<br>
Jul 8 15:14:57 kicktest.rrz.uni-koeln.de sshd[2204130]: pam_krb5[2204130=
]: afs.thp.uni-koeln.de is in realm "RRZ.UNI-KOELN.DE"
<br>
Jul 8 15:14:57 kicktest.rrz.uni-koeln.de sshd[2204130]: pam_krb5[2204130=
]: attempting to obtain tokens for "rrz.uni-koeln.de" ("afs/rrz.uni-koeln=
=2Ede@RRZ.UNI-KOELN.DE")
<br>
Jul 8 15:14:57 kicktest.rrz.uni-koeln.de sshd[2204130]: pam_krb5[2204130=
]: error obtaining credentials for 'afs/rrz.uni-koeln.de@RRZ.UNI-KOELN.DE=
' (enctype=3D1) on behalf of 'a0537@RRZ.UNI-KOELN.DE': No credentia
<br>
ls found with supported encryption types
<br>
Jul 8 15:14:57 kicktest.rrz.uni-koeln.de sshd[2204130]: pam_krb5[2204130=
]: error obtaining credentials for 'afs/rrz.uni-koeln.de@RRZ.UNI-KOELN.DE=
' (enctype=3D2) on behalf of 'a0537@RRZ.UNI-KOELN.DE': No credentia
<br>
ls found with supported encryption types
<br>
Jul 8 15:14:57 kicktest.rrz.uni-koeln.de sshd[2204130]: pam_krb5[2204130=
]: error obtaining credentials for 'afs/rrz.uni-koeln.de@RRZ.UNI-KOELN.DE=
' (enctype=3D3) on behalf of 'a0537@RRZ.UNI-KOELN.DE': No credentia
<br>
ls found with supported encryption types
<br>
Jul 8 15:14:57 kicktest.rrz.uni-koeln.de sshd[2204130]: pam_krb5[2204130=
]: attempting to obtain tokens for "rrz.uni-koeln.de" ("afs@RRZ.UNI-KOELN=
=2EDE")
<br>
Jul 8 15:14:57 kicktest.rrz.uni-koeln.de sshd[2204130]: pam_krb5[2204130=
]: error obtaining credentials for 'afs@RRZ.UNI-KOELN.DE' (enctype=3D1) o=
n behalf of 'a0537@RRZ.UNI-KOELN.DE': No credentials found with supported=
encryption types
<br>
Jul 8 15:14:57 kicktest.rrz.uni-koeln.de sshd[2204130]: pam_krb5[2204130=
]: error obtaining credentials for 'afs@RRZ.UNI-KOELN.DE' (enctype=3D2) o=
n behalf of 'a0537@RRZ.UNI-KOELN.DE': No credentials found with supported=
encryption types
<br>
Jul 8 15:14:57 kicktest.rrz.uni-koeln.de sshd[2204130]: pam_krb5[2204130=
]: error obtaining credentials for 'afs@RRZ.UNI-KOELN.DE' (enctype=3D3) o=
n behalf of 'a0537@RRZ.UNI-KOELN.DE': No credentials found with supported=
encryption types
<br>
Jul 8 15:14:57 kicktest.rrz.uni-koeln.de sshd[2204130]: pam_krb5[2204130=
]: attempting to obtain tokens for "rrz.uni-koeln.de" ("afsx/rrz.uni-koel=
n.de@RRZ.UNI-KOELN.DE")
<br>
Jul 8 15:14:57 kicktest.rrz.uni-koeln.de sshd[2204130]: pam_krb5[2204130=
]: error obtaining credentials for 'afsx/rrz.uni-koeln.de@RRZ.UNI-KOELN.D=
E' (enctype=3D1) on behalf of 'a0537@RRZ.UNI-KOELN.DE': No credentials fo=
und with supported encryption types
<br>
Jul 8 15:14:57 kicktest.rrz.uni-koeln.de sshd[2204130]: pam_krb5[2204130=
]: error obtaining credentials for 'afsx/rrz.uni-koeln.de@RRZ.UNI-KOELN.D=
E' (enctype=3D2) on behalf of 'a0537@RRZ.UNI-KOELN.DE': No credentials fo=
und with supported encryption types
<br>
Jul 8 15:14:57 kicktest.rrz.uni-koeln.de sshd[2204130]: pam_krb5[2204130=
]: error obtaining credentials for 'afsx/rrz.uni-koeln.de@RRZ.UNI-KOELN.D=
E' (enctype=3D3) on behalf of 'a0537@RRZ.UNI-KOELN.DE': No credentials fo=
und with supported encryption types
<br>
Jul 8 15:14:57 kicktest.rrz.uni-koeln.de sshd[2204130]: pam_krb5[2204130=
]: attempting to obtain tokens for "rrz.uni-koeln.de" ("afsx@RRZ.UNI-KOEL=
N.DE")
<br>
Jul 8 15:14:57 kicktest.rrz.uni-koeln.de sshd[2204130]: pam_krb5[2204130=
]: error obtaining credentials for 'afsx@RRZ.UNI-KOELN.DE' (enctype=3D1) =
on behalf of 'a0537@RRZ.UNI-KOELN.DE': No credentials found with supporte=
d encryption types
<br>
Jul 8 15:14:57 kicktest.rrz.uni-koeln.de sshd[2204130]: pam_krb5[2204130=
]: error obtaining credentials for 'afsx@RRZ.UNI-KOELN.DE' (enctype=3D2) =
on behalf of 'a0537@RRZ.UNI-KOELN.DE': No credentials found with supporte=
d encryption types
<br>
Jul 8 15:14:57 kicktest.rrz.uni-koeln.de sshd[2204130]: pam_krb5[2204130=
]: error obtaining credentials for 'afsx@RRZ.UNI-KOELN.DE' (enctype=3D3) =
on behalf of 'a0537@RRZ.UNI-KOELN.DE': No credentials found with supporte=
d encryption types
<br>
Jul 8 15:14:57 kicktest.rrz.uni-koeln.de sshd[2204130]: pam_krb5[2204130=
]: afslog (2b) failed to "rrz.uni-koeln.de"
<br>
Jul 8 15:14:57 kicktest.rrz.uni-koeln.de sshd[2204130]: pam_krb5[2204130=
]: got error -1 (Unknown code ____ 255) while obtaining tokens for rrz.un=
i-koeln.de
<br>
Jul 8 15:14:57 kicktest.rrz.uni-koeln.de sshd[2204130]: pam_krb5[2204130=
]: no additional afs cells configured</p>
<p dir=3D"auto"> To reiterate: We get both kerberos ticket and AFS-Token=
on RHEL-7. On RHEL-8, we still get a valid kerberos ticket, but getting =
the AFS-Token fails. It -is- possible, however, to get a valid AFS-Token =
by klog.krb5. So -in principle- everything is in place to have this done =
by pam_afs.
<br>
The problem is: I have no way to determine why it is complaining about =
"no supported encryption types" when other tools have no problems at all!=
</p>
<p dir=3D"auto"> Additional infO. Yes, we did rekey our AFS-cell quite a=
while ago, and our afs-Principal has two keys:</p>
<p dir=3D"auto">kadmin.local: getprinc afs/rrz.uni-koeln.de
<br>
Principal: afs/rrz.uni-koeln.de@RRZ.UNI-KOELN.DE
<br>
<snip>
<br>
Anzahl der Schl=C3=BCssel: 2
<br>
Key: vno 5, aes256-cts-hmac-sha1-96
<br>
Key: vno 4, des-cbc-crc
<br>
MKey: vno 1
<br>
Attribute: REQUIRES_PRE_AUTH
<br>
Richtlinie: [keins]</p>
<p dir=3D"auto"> Our users have three:</p>
<p dir=3D"auto">kadmin.local: getprinc XXXX
<br>
Principal: XXXX@RRZ.UNI-KOELN.DE
<br>
<snip>
<br>
Anzahl der Schl=C3=BCssel: 3
<br>
Key: vno 2, aes256-cts-hmac-sha1-96
<br>
Key: vno 2, des-cbc-crc
<br>
Key: vno 2, des-cbc-md5:afs3
<br>
MKey: vno 1
<br>
Attribute: REQUIRES_PRE_AUTH
<br>
Richtlinie: [keins]</p>
<p dir=3D"auto"> Like I said before, I looked at the sources of our vers=
ion of pam_krb5, and the part where it is failing starts at line 775 insi=
de the function "minikafs_5log_with_principal" (I'll attach the minikafs.=
c to this mail for reference)</p>
<p dir=3D"auto"> /* Try to obtain a suitable credential. */
<br>
for (i =3D 0; i < n_etypes; i++) {
<br>
memset(&mcreds, 0, sizeof(mcreds));
<br>
mcreds.client =3D client;
<br>
mcreds.server =3D server;
<br>
if (etypes !=3D NULL) {
<br>
v5_creds_set_etype(ctx, &mcreds, etypes[i]);
<br>
}
<br>
new_creds =3D NULL;
<br>
tmp =3D krb5_get_credentials(ctx, 0, ccache,
<br>
&mcreds, &new_creds);
<br>
if (tmp =3D=3D 0) {
<br>
if (use_rxk5 &&
<br>
(minikafs_5settoken2(cell, new_creds, uid) =3D=
=3D 0)) {
<br>
krb5_free_creds(ctx, new_creds);
<br>
v5_free_unparsed_name(ctx, unparsed_clien=
t);
<br>
krb5_free_principal(ctx, client);
<br>
krb5_free_principal(ctx, server);
<br>
return 0;
<br>
} else
<br>
if (use_v5_2b &&
<br>
(minikafs_5settoken(cell, new_creds, uid) =3D=
=3D 0)) {
<br>
krb5_free_creds(ctx, new_creds);
<br>
v5_free_unparsed_name(ctx, unparsed_clien=
t);
<br>
krb5_free_principal(ctx, client);
<br>
krb5_free_principal(ctx, server);
<br>
return 0;
<br>
}
<br>
krb5_free_creds(ctx, new_creds);
<br>
} else {
<br>
if (options->debug) {
<br>
if (etypes !=3D NULL) {
<br>
debug("error obtaining credential=
s for "
<br>
"'%s' (enctype=3D%d) on beh=
alf of "
<br>
"'%s': %s",
<br>
principal, etypes[i],
<br>
unparsed_client,
<br>
v5_error_message(tmp));
<br>
} else {
<br>
debug("error obtaining credential=
s for "
<br>
"'%s' on behalf of "
<br>
"'%s': %s",
<br>
principal,
<br>
unparsed_client,
<br>
v5_error_message(tmp));
<br>
}
<br>
}
<br>
}
<br>
}</p>
<p dir=3D"auto"> v5_free_unparsed_name(ctx, unparsed_client);
<br>
krb5_free_principal(ctx, client);
<br>
krb5_free_principal(ctx, server);</p>
<p dir=3D"auto"> If you or anyone else has any ideas how to tackle the p=
roblem, any help would be greatly appreciated.</p>
<p dir=3D"auto"> Cheers from Cologne,
<br>
Stephan Wonczak</p>
<p dir=3D"auto">On Fri, 8 Jul 2022, Jeffrey E Altman wrote:</p>
<blockquote style=3D"margin: 0 0 5px; padding-left: 5px; border-left: 2px=
solid #136BCE; border-left-color: #4B89CF; color: #4B89CF;"><p dir=3D"au=
to">Sounds like the version of pam_krb5 you are attempting to build does =
not
<br>
include support for rxkad-kdf.</p>
<p dir=3D"auto">=C2=A0<a href=3D"https://lists.openafs.org/pipermail/afs3=
-standardization/2013-July/002738.h">https://lists.openafs.org/pipermail/=
afs3-standardization/2013-July/002738.h</a>
<br>
tml</p>
<p dir=3D"auto">The version of pam_krb5 that supports rxkad-kdf contains =
a
<br>
minikafs_kd_derive() function at minikafs.c line 775.</p>
<p dir=3D"auto">See <a href=3D"https://github.com/frozencemetery/pam_krb5=
">https://github.com/frozencemetery/pam_krb5</a>.</p>
<p dir=3D"auto">As mentioned in my prior reply pam_krb5 should not be use=
d in conjunction
<br>
with sssd.</p>
<p dir=3D"auto">Jeffrey Altman</p>
<p dir=3D"auto">On 7/8/2022 8:35 AM, Stephan Wonczak (a0033@rrz.uni-koeln=
=2Ede) wrote:
<br>
=C2=A0 Hi everyone!
<br>
=C2=A0 (Berthold's colleague here)</p>
<p dir=3D"auto"> =C2=A0 We dug a little deeper and found the part in=
the
<br>
pam_krb5-sources where it fails. It is in the file "minikafs.c"
<br>
starting in line 775. It looks like the call to
<br>
krb5_get_credentials() gets a non-zero return value, thus making
<br>
it bail out.
<br>
=C2=A0 The problem is that we (well, at least me!) have no idea whi=
ch
<br>
enctype is expected, and which enctypes are actually tried.
<br>
Debug output is not too helpful here. Any ideas on how to get
<br>
useful information?
<br>
=C2=A0 (I should mention I am waaay out of depth here with my
<br>
knowledge of Kerberos, and my C-fu is severely lacking, too ;-)
<br>
)</p>
<p dir=3D"auto"> =C2=A0 To be absolutley clear: We can ssh-login to =
the machine
<br>
running this pam_krb.so-module, and get a valid krb5-ticket. No
<br>
AFS-token after login, thus no access to AFS. If I do
<br>
"klog.krb5", I -do- get an AFS-Token without any issues, and
<br>
AFS-access starts working as it should.
<br>
=C2=A0 It's maddening that only pam_krb5 complains, while other too=
ls
<br>
work out of the box.</p>
<p dir=3D"auto"> =C2=A0 Any advice would be greatly appreciated!</p>=
<p dir=3D"auto"> =C2=A0 Stephan</p>
<p dir=3D"auto"> On Fri, 8 Jul 2022, Berthold Cogel wrote:</p>
<p dir=3D"auto"> Am 07.07.22 um 19:04 schrieb Dirk Heinrichs:
<br>
=C2=A0Benjamin Kaduk:</p>
<p dir=3D"auto"> =C2=A0Are you aware of
<br>
pam_afs_session
<br>
=C2=A0(<a href=3D"https://github.com/rra/pam-afs-=
session">https://github.com/rra/pam-afs-session</a>)?
<br>
Without knowing more about
<br>
=C2=A0what you're using pam_krb5
<br>
for it's hard to make
<br>
specific suggestions
<br>
=C2=A0about what alternatives
<br>
might exist.</p>
<p dir=3D"auto"> =C2=A0BTW: pam_krb5 !=3D pam_krb5. Ther=
e are
<br>
two different modules with the same
<br>
=C2=A0name out there. The one shipped with
<br>
RedHat family distributions comes
<br>
=C2=A0with integrated AFS support, while the
<br>
one shipped with Debian family
<br>
=C2=A0distributions doesn't. That's the
<br>
reason why Debian also ships
<br>
=C2=A0pam_afs_session and RH does not.</p>
<p dir=3D"auto"> =C2=A0Bye...</p>
<p dir=3D"auto"> =C2=A0 =C2=A0=C2=A0=C2=A0 Dirk</p>
<p dir=3D"auto"> We're using the pam_krb5 shipped with Red Hat=
=2E</p>
<p dir=3D"auto"> I've rebuild the module from the RHEL 7 sourc=
e rpm
<br>
on RHEL 8. And it seems to work.... for some value
<br>
of working....</p>
<p dir=3D"auto"> Supported enctypes in our kdc:
<br>
aes256-cts-hmac-sha1-96:normal des-cbc-crc:normal
<br>
des:afs3</p>
<p dir=3D"auto"> We 'rekeyed' our AFS environment with
<br>
aes256-cts-hmac-sha1-96:normal to get connections
<br>
from newer Ubuntu/Debian and Fedora 35 working.</p>
<p dir=3D"auto"> We get a krb5 ticket and a login, but getting=
the
<br>
AFS token gives errors:</p>
<p dir=3D"auto"> "error obtaining credentials for
<br>
'afs/rrz.uni-koeln.de@RRZ.UNI-KOELN.DE' (enctype=3D1)
<br>
on behalf of ....: No credentials found with
<br>
supported encryption types"</p>
<p dir=3D"auto"> Same for two other enctypes.</p>
<p dir=3D"auto"> So something else changed in RHEL 8, which we=
<br>
haven't found yet.</p>
<p dir=3D"auto"> Regards
<br>
Berthold
<br>
_______________________________________________
<br>
OpenAFS-info mailing list
<br>
OpenAFS-info@openafs.org
<br>
<a href=3D"https://lists.openafs.org/mailman/listinfo/openafs-in=
fo">https://lists.openafs.org/mailman/listinfo/openafs-info</a></p>
<p dir=3D"auto"> =C2=A0=C2=A0=C2=A0=C2=A0Dipl. Chem. Dr. Stephan Won=
czak</p>
<p dir=3D"auto"> =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 Regional=
es Rechenzentrum der Universitaet zu Koeln
<br>
(RRZK)
<br>
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 Universitaet zu Koeln, W=
eyertal 121, 50931 Koeln
<br>
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 Tel: +49/(0)221/470-8958=
3, Fax: +49/(0)221/470-89625</p>
</blockquote><p dir=3D"auto"> Dipl. Chem. Dr. Stephan Wonczak</p>
<p dir=3D"auto"> Regionales Rechenzentrum der Universitaet zu Koel=
n (RRZK)
<br>
Universitaet zu Koeln, Weyertal 121, 50931 Koeln</p>
</blockquote></div>
<div class=3D"markdown" style=3D"white-space: normal;">
<blockquote style=3D"margin: 0 0 5px; padding-left: 5px; border-left: 2px=
solid #136BCE; color: #136BCE;">
<pre style=3D"margin-left: 15px; margin-right: 15px; padding: 5px; border=
: thin solid gray; overflow-x: auto; max-width: 90vw; background-color: #=
E4E4E4;"><code style=3D"padding: 0 0.25em; background-color: #E4E4E4;"> =
Tel: +49/(0)221/470-89583, Fax: +49/(0)221/470-89625
</code></pre>
</blockquote>
</div>
</div>
</body>
</html>
--=_MailMate_19B395AB-C5FA-4E6E-BC4B-70E3CA07D30E_=--