Hi, I have another problem when I trying to run pam_krb5 and pam_gssklog with pam_unix. when config my dtlogin in pam.conf in solaris 9 box as below:
dtlogin auth requisite pam_authtok_get.so.1 debug dtlogin auth required pam_dhkeys.so.1 debug dtlogin auth required pam_krb5.so debug forwardable realmm=TTU.EDU use_first_pass dtlogin auth optional pam_gssklog.so.1 debug The pam_gssklog is working fine and pam_sm_setcred was called. It can run gssklog crrectly and get FAS tokens. But if I add pam_unix_auth.so.1 before pam_krb5.so as below: dtlogin auth requisite pam_authtok_get.so.1 debug dtlogin auth required pam_dhkeys.so.1 debug dtlogin auth sufficient pam_unix_auth.so.1 debug use_first_pass dtlogin auth required pam_krb5.so debug forwardable realmm=TTU.EDU use_first_pass dtlogin auth optional pam_gssklog.so.1 debug The pam_sm_setcred in pam_gssklog was not called. So it cannot run gssklog to get AFS tokens. pam_sm_authenticate in pam_gssklog was called. If I adjusted the order of the pam-unix as below: dtlogin auth requisite pam_authtok_get.so.1 debug dtlogin auth required pam_dhkeys.so.1 debug dtlogin auth optional pam_krb5.so debug forwardable realmm=TTU.EDU use_first_pass dtlogin auth sufficient pam_gssklog.so.1 debug dtlogin auth required pam_unix_auth.so.1 debug use_first_pass It still has the same result. pam_sm_setcred was not called. What I want is just combine the general Unix authication with the kerberos authication. When one authentication is failed, the system will try another one. If one is successed, it will pass. Another qestion: Is it possible to move gssklog running to pam_sm_open_session like pam_openafs_session for aklog? Any suggestions? Thanks. Rong -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Rong,Yongjun(CS) Sent: Tuesday, June 15, 2004 4:36 PM To: [EMAIL PROTECTED]; Douglas E. Engert Cc: [EMAIL PROTECTED] Subject: Solutions RE: [OpenAFS-devel] pam_gssklog on solaris9 Hi, I have figured out the problem. For solaris, I added "#define TARGET_ARCH_SOLARIS" and change gssklog_exec = "/usr/bin/gssklog" in gssklog_pag_klog.c and recompile pam_gssklog.so.1. Then it works. PLS make sure the gssklog_exec is the path to your gssklog file, not the directory. That's all. Thanks again for everyone's help. Rong -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of [EMAIL PROTECTED] Sent: Monday, June 14, 2004 8:57 PM To: Douglas E. Engert Cc: [EMAIL PROTECTED] Subject: Re: [OpenAFS-devel] pam_gssklog on solaris9 I have changed it to /usr/bin and recompiled it. I put my gssklog in /usr/bin. But it still has the same error. I can run it manully without any problem. The env has correct krb5 ticket cache file. > > > "Rong,Yongjun(CS)" wrote: > >> Hi, >> The execle(gssklog_exec, "gssklog","-silent",0,env) in >> gssklog_pag_klog >> has benn called. But it returns errno= 13 which means permission denied. >> I >> have checked the permission of the gssklog and pam_gssklog.so.1. All are >> 755. I can run gssklog manully via command line. But the pam_gssklog.so >> cannot call gssklog via execle. > > gssklog_exec is the path of the gssklog. It defaults to /krb5/bin/gssklog > If this is not the location, you will have to recompile or move it. Its on > my to-do list > to make this a parameter. (actually replace the gssklog_pag_klog.c with > the > routines used by ssh.) > >> >> Anyone has any suggestions? >> Thanks. >> Rong >> >> -----Original Message----- >> From: [EMAIL PROTECTED] >> [mailto:[EMAIL PROTECTED] Behalf Of Rong,Yongjun(CS) >> Sent: Monday, June 14, 2004 2:35 PM >> To: [EMAIL PROTECTED] >> Subject: RE: [OpenAFS-devel] pam_gssklog on solaris9 >> >> I have got the pam_sm_setcred called when a user login. But pam_gss_klog >> seems cannot call gssklog_pag_klog function. >> I got below debug information before gssklog_pag_klog be called: >> Jun 14 14:26:27 tset dtlogin[7216]: [ID 868606 user.debug] pam_gssklog: >> env=KRB5CCNAME=FILE:/tmp/krb5cc_2079_X7aago >> Jun 14 14:26:27 tset dtlogin[7216]: [ID 868606 user.debug] pam_gssklog: >> set_pag=1 >> >> I have checked the /tmp/krb5cc_2079_X7aago is correct. But it seems >> gssklog_pag_klog is not called even there is a function call from >> pam_gssklog as below: >> gssklog_pag_klog(set_pag, env); >> I have put some debug inside the hssklog_pag_klog.c, but no any >> information >> was print. >> Thanks for your suggestions. >> Rong >> >> -----Original Message----- >> From: [EMAIL PROTECTED] >> [mailto:[EMAIL PROTECTED] Behalf Of Rong,Yongjun(CS) >> Sent: Thursday, June 10, 2004 5:02 PM >> To: Rong,Yongjun(CS); [EMAIL PROTECTED] >> Subject: RE: [OpenAFS-devel] pam_gssklog on solaris9 >> >> I have got pam_sm_setcred called by PAM framework after I changed my >> pam.conf as below: >> dtlogin auth requisite pam_authtok_get.so.1 debug >> #dtlogin auth required pam_dhkeys.so.1 debug >> #dtlogin auth sufficient pam_unix_auth.so.1 debug use_first_pass >> dtlogin auth required pam_krb5.so debug forwardable >> realmm=TTU.EDU >> use_first_pass >> dtlogin auth required pam_gssklog.so.1 debug >> >> -----Original Message----- >> From: [EMAIL PROTECTED] >> [mailto:[EMAIL PROTECTED] Behalf Of Rong,Yongjun(CS) >> Sent: Thursday, June 10, 2004 3:51 PM >> To: [EMAIL PROTECTED] >> Subject: [OpenAFS-devel] pam_gssklog on solaris9 >> >> Hi, All, >> I have another problem for the pam_gssklog. It seems the >> pam_sm_setcred >> cannot be called during the process of login. My pam.conf for dtlogin is >> as >> below: >> >> dtlogin auth requisite pam_authtok_get.so.1 debug >> dtlogin auth required pam_dhkeys.so.1 debug >> dtlogin auth sufficient pam_unix_auth.so.1 debug use_first_pass >> dtlogin auth optional pam_krb5.so debug forwardable >> realmm=TTU.EDU >> use_first_pass >> dtlogin auth optional pam_gssklog.so.1 debug >> >> pam_kr5b.so is work fine. After the user login, I can klist the tickets. >> But >> the pam_gssklog is not work well. From the debug information, the >> pam_sm_setcred is not be called. >> Any suggestions, Thanks in advanced. >> Rong >> >> _______________________________________________ >> OpenAFS-devel mailing list >> [EMAIL PROTECTED] >> https://lists.openafs.org/mailman/listinfo/openafs-devel >> >> _______________________________________________ >> OpenAFS-devel mailing list >> [EMAIL PROTECTED] >> https://lists.openafs.org/mailman/listinfo/openafs-devel >> >> _______________________________________________ >> OpenAFS-devel mailing list >> [EMAIL PROTECTED] >> https://lists.openafs.org/mailman/listinfo/openafs-devel >> >> _______________________________________________ >> OpenAFS-devel mailing list >> [EMAIL PROTECTED] >> https://lists.openafs.org/mailman/listinfo/openafs-devel > > -- > > Douglas E. Engert <[EMAIL PROTECTED]> > Argonne National Laboratory > 9700 South Cass Avenue > Argonne, Illinois 60439 > (630) 252-5444 > > > _______________________________________________ > OpenAFS-devel mailing list > [EMAIL PROTECTED] > https://lists.openafs.org/mailman/listinfo/openafs-devel > _______________________________________________ OpenAFS-devel mailing list [EMAIL PROTECTED] https://lists.openafs.org/mailman/listinfo/openafs-devel _______________________________________________ OpenAFS-devel mailing list [EMAIL PROTECTED] https://lists.openafs.org/mailman/listinfo/openafs-devel _______________________________________________ OpenAFS-devel mailing list [EMAIL PROTECTED] https://lists.openafs.org/mailman/listinfo/openafs-devel
