Re: [OpenAFS] tokens at login (pam_krb5afs module)

[Dj Merrill]

Christopher Allen Wing wrote:
Frode:
The pam_krb5 module that comes with Red Hat should be able to obtain
tokens. Note that it may have some bugs:
        - it may not work with dynroot enabled
        - it may not work when you have more than 1 AFS database server
At some point I will try to get patches to Red Hat to fix these issues,
but I believe it will work at least if you disable dynroot. (or if you add
the name of your cell to the options string in /etc/pam.d/system-auth)
Hi Christopher,
        I believe I have traced my troubles trying to get
an AFS token at login down to this module.
I am running RHEL 4 with all the current updates as of
25 Apr 2005.  I have the RH supplied version pam_krb5-2.1.2-1 installed.
I am using the OpenAfs 1.3.81 client on this machine.
        My primary server is a RH 3.4 machine using
the current RH 3.4 packages for Krb5 (1.2.7-42).
I am running OpenAFS 1.2.13 here.  I am able to login
to 3.4 machines and get AFS tokens just fine using
pam_krb5-1.73-1.
        Under RH 4, I can authenticate against Krb 5, but
I cannot get an AFS token (talking to the same server
that the 3.4 machines work against).  I do not have
dynroot enabled.  After login, I can use the RH supplied
"afslog" command to obtain an AFS token successfully.
        I have the following as part of
my /etc/krb5.conf:
[appdefaults]
 pam = {
   debug = true
   ticket_lifetime = 86400
   renew_lifetime = 86400
   forwardable = true
   krb4_convert = true
   afs_cells = econ.duke.edu
   minimum_uid = 1000
 }
 afs_krb5 = {
   ECON.DUKE.EDU = {
      afs = true
   }
 }
        and my /etc/pam.d/system-auth file contains:
auth        required      /lib/security/$ISA/pam_env.so
auth        sufficient    /lib/security/$ISA/pam_unix.so likeauth nullok
auth        sufficient    /lib/security/$ISA/pam_krb5afs.so 
use_first_pass tokens afs_cells=econ.duke.edu debug
auth        required      /lib/security/$ISA/pam_deny.so

account     required      /lib/security/$ISA/pam_unix.so
account     sufficient    /lib/security/$ISA/pam_succeed_if.so uid < 100 
quiet
account     required      /lib/security/$ISA/pam_permit.so

password    requisite     /lib/security/$ISA/pam_cracklib.so retry=3
password    sufficient    /lib/security/$ISA/pam_unix.so nullok 
use_authtok md5 shadow
password    sufficient    /lib/security/$ISA/pam_krb5afs.so use_authtok
password    required      /lib/security/$ISA/pam_deny.so

session     required      /lib/security/$ISA/pam_limits.so
session     required      /lib/security/$ISA/pam_unix.so
session     optional      /lib/security/$ISA/pam_krb5afs.so
    As per the K5 migration info, I have an afs principal:
[EMAIL PROTECTED]
however, I note that the pam_krb5afs tries several other
combinations, but not this one exactly.  For example, it tries
[EMAIL PROTECTED], afs/[EMAIL PROTECTED], and
afs/[EMAIL PROTECTED]
        Could this be where the issue is?
        The debug log shows:
Apr 25 13:39:35 galactica sshd[28332]: pam_krb5[28332]: obtaining afs tokens
Apr 25 13:39:35 galactica sshd[28332]: pam_krb5[28332]: obtaining tokens 
for 'econ.duke.edu'
Apr 25 13:39:35 galactica sshd[28332]: pam_krb5[28332]: attempting to 
obtain tokens for "econ.duke.edu" ("afs/[EMAIL PROTECTED]")
Apr 25 13:39:35 galactica sshd[28332]: pam_krb5[28332]: attempting to 
obtain tokens for "econ.duke.edu" ("[EMAIL PROTECTED]")
Apr 25 13:39:35 galactica sshd[28332]: pam_krb5[28332]: attempting to 
obtain tokens for "econ.duke.edu" ("afs/[EMAIL PROTECTED]")
Apr 25 13:39:35 galactica sshd[28332]: pam_krb5[28332]: attempting to 
obtain tokens for "econ.duke.edu" ("afsx/[EMAIL PROTECTED]")
Apr 25 13:39:35 galactica sshd[28332]: pam_krb5[28332]: attempting to 
obtain tokens for "econ.duke.edu" ("[EMAIL PROTECTED]")
Apr 25 13:39:35 galactica sshd[28332]: pam_krb5[28332]: attempting to 
obtain tokens for "econ.duke.edu" ("afsx/[EMAIL PROTECTED]")
Apr 25 13:39:35 galactica sshd[28332]: pam_krb5[28332]: v5 afslog (2b=0) 
failed to "econ.duke.edu"
Apr 25 13:39:35 galactica sshd[28332]: pam_krb5[28332]: trying with v4 
ticket
Apr 25 13:39:35 galactica sshd[28332]: pam_krb5[28332]: attempting to 
obtain tokens for "econ.duke.edu" ("[EMAIL PROTECTED]")
Apr 25 13:39:35 galactica sshd[28332]: pam_krb5[28332]: got error 71 
(Protocol error) obtaining v4 creds for "econ.duke.edu"
Apr 25 13:39:35 galactica sshd[28332]: pam_krb5[28332]: attempting to 
obtain tokens for "econ.duke.edu" ("[EMAIL PROTECTED]")
Apr 25 13:39:35 galactica sshd[28332]: pam_krb5[28332]: got error 71 
(Protocol error) obtaining v4 creds for "econ.duke.edu"
Apr 25 13:39:35 galactica sshd[28332]: pam_krb5[28332]: attempting to 
obtain tokens for "econ.duke.edu" ("[EMAIL PROTECTED]")
Apr 25 13:39:35 galactica sshd[28332]: pam_krb5[28332]: got error 8 
(Exec format error) obtaining v4 creds for "econ.duke.edu"
Apr 25 13:39:35 galactica sshd[28332]: pam_krb5[28332]: attempting to 
obtain tokens for "econ.duke.edu" ("[EMAIL PROTECTED]")
Apr 25 13:39:35 galactica sshd[28332]: pam_krb5[28332]: got error 71 
(Protocol error) obtaining v4 creds for "econ.duke.edu"
Apr 25 13:39:35 galactica sshd[28332]: pam_krb5[28332]: attempting to 
obtain tokens for "econ.duke.edu" ("[EMAIL PROTECTED]")
Apr 25 13:39:35 galactica sshd[28332]: pam_krb5[28332]: got error 71 
(Protocol error) obtaining v4 creds for "econ.duke.edu"
Apr 25 13:39:35 galactica sshd[28332]: pam_krb5[28332]: attempting to 
obtain tokens for "econ.duke.edu" ("[EMAIL PROTECTED]")
Apr 25 13:39:35 galactica sshd[28332]: pam_krb5[28332]: got error 8 
(Exec format error) obtaining v4 creds for "econ.duke.edu"
Apr 25 13:39:35 galactica sshd[28332]: pam_krb5[28332]: v4 afslog failed 
to "econ.duke.edu"
Apr 25 13:39:35 galactica sshd[28332]: pam_krb5[28332]: retrying v5 with 
2b=1
Apr 25 13:39:35 galactica sshd[28332]: pam_krb5[28332]: attempting to 
obtain tokens for "econ.duke.edu" ("afs/[EMAIL PROTECTED]")
Apr 25 13:39:35 galactica sshd[28332]: pam_krb5[28332]: attempting to 
obtain tokens for "econ.duke.edu" ("[EMAIL PROTECTED]")
Apr 25 13:39:35 galactica sshd[28332]: pam_krb5[28332]: attempting to 
obtain tokens for "econ.duke.edu" ("afs/[EMAIL PROTECTED]")
Apr 25 13:39:35 galactica sshd[28332]: pam_krb5[28332]: attempting to 
obtain tokens for "econ.duke.edu" ("afsx/[EMAIL PROTECTED]")
Apr 25 13:39:36 galactica sshd[28332]: pam_krb5[28332]: attempting to 
obtain tokens for "econ.duke.edu" ("[EMAIL PROTECTED]")
Apr 25 13:39:36 galactica sshd[28332]: pam_krb5[28332]: attempting to 
obtain tokens for "econ.duke.edu" ("afsx/[EMAIL PROTECTED]")
Apr 25 13:39:36 galactica sshd[28332]: pam_krb5[28332]: v5 afslog (2b=1) 
failed to "econ.duke.edu"
Apr 25 13:39:36 galactica sshd[28332]: pam_krb5[28332]: got error -1 
(Unknown code ____ 255) while obtaining tokens for econ.duke.edu
Apr 25 13:39:36 galactica sshd[28332]: pam_krb5[28332]: obtaining tokens 
for 'econ.duke.edu'
Apr 25 13:39:36 galactica sshd[28332]: pam_krb5[28332]: attempting to 
obtain tokens for "econ.duke.edu" ("afs/[EMAIL PROTECTED]")
Apr 25 13:39:36 galactica sshd[28332]: pam_krb5[28332]: attempting to 
obtain tokens for "econ.duke.edu" ("[EMAIL PROTECTED]")
Apr 25 13:39:36 galactica sshd[28332]: pam_krb5[28332]: attempting to 
obtain tokens for "econ.duke.edu" ("afs/[EMAIL PROTECTED]")
Apr 25 13:39:36 galactica sshd[28332]: pam_krb5[28332]: attempting to 
obtain tokens for "econ.duke.edu" ("afsx/[EMAIL PROTECTED]")
Apr 25 13:39:36 galactica sshd[28332]: pam_krb5[28332]: attempting to 
obtain tokens for "econ.duke.edu" ("[EMAIL PROTECTED]")
Apr 25 13:39:36 galactica sshd[28332]: pam_krb5[28332]: attempting to 
obtain tokens for "econ.duke.edu" ("afsx/[EMAIL PROTECTED]")
Apr 25 13:39:36 galactica sshd[28332]: pam_krb5[28332]: v5 afslog (2b=0) 
failed to "econ.duke.edu"
Apr 25 13:39:36 galactica sshd[28332]: pam_krb5[28332]: trying with v4 
ticket
Apr 25 13:39:36 galactica sshd[28332]: pam_krb5[28332]: attempting to 
obtain tokens for "econ.duke.edu" ("[EMAIL PROTECTED]")
Apr 25 13:39:36 galactica sshd[28332]: pam_krb5[28332]: got error 71 
(Protocol error) obtaining v4 creds for "econ.duke.edu"
Apr 25 13:39:36 galactica sshd[28332]: pam_krb5[28332]: attempting to 
obtain tokens for "econ.duke.edu" ("[EMAIL PROTECTED]")
Apr 25 13:39:36 galactica sshd[28332]: pam_krb5[28332]: got error 71 
(Protocol error) obtaining v4 creds for "econ.duke.edu"
Apr 25 13:39:36 galactica sshd[28332]: pam_krb5[28332]: attempting to 
obtain tokens for "econ.duke.edu" ("[EMAIL PROTECTED]")
Apr 25 13:39:36 galactica sshd[28332]: pam_krb5[28332]: got error 8 
(Exec format error) obtaining v4 creds for "econ.duke.edu"
Apr 25 13:39:36 galactica sshd[28332]: pam_krb5[28332]: attempting to 
obtain tokens for "econ.duke.edu" ("[EMAIL PROTECTED]")
Apr 25 13:39:36 galactica sshd[28332]: pam_krb5[28332]: got error 71 
(Protocol error) obtaining v4 creds for "econ.duke.edu"
Apr 25 13:39:36 galactica sshd[28332]: pam_krb5[28332]: attempting to 
obtain tokens for "econ.duke.edu" ("[EMAIL PROTECTED]")
Apr 25 13:39:36 galactica sshd[28332]: pam_krb5[28332]: got error 71 
(Protocol error) obtaining v4 creds for "econ.duke.edu"
Apr 25 13:39:36 galactica sshd[28332]: pam_krb5[28332]: attempting to 
obtain tokens for "econ.duke.edu" ("[EMAIL PROTECTED]")
Apr 25 13:39:36 galactica sshd[28332]: pam_krb5[28332]: got error 8 
(Exec format error) obtaining v4 creds for "econ.duke.edu"
Apr 25 13:39:36 galactica sshd[28332]: pam_krb5[28332]: v4 afslog failed 
to "econ.duke.edu"
Apr 25 13:39:36 galactica sshd[28332]: pam_krb5[28332]: retrying v5 with 
2b=1
Apr 25 13:39:36 galactica sshd[28332]: pam_krb5[28332]: attempting to 
obtain tokens for "econ.duke.edu" ("afs/[EMAIL PROTECTED]")
Apr 25 13:39:36 galactica sshd[28332]: pam_krb5[28332]: attempting to 
obtain tokens for "econ.duke.edu" ("[EMAIL PROTECTED]")
Apr 25 13:39:36 galactica sshd[28332]: pam_krb5[28332]: attempting to 
obtain tokens for "econ.duke.edu" ("afs/[EMAIL PROTECTED]")
Apr 25 13:39:36 galactica sshd[28332]: pam_krb5[28332]: attempting to 
obtain tokens for "econ.duke.edu" ("afsx/[EMAIL PROTECTED]")
Apr 25 13:39:36 galactica sshd[28332]: pam_krb5[28332]: attempting to 
obtain tokens for "econ.duke.edu" ("[EMAIL PROTECTED]")
Apr 25 13:39:37 galactica sshd[28332]: pam_krb5[28332]: attempting to 
obtain tokens for "econ.duke.edu" ("afsx/[EMAIL PROTECTED]")
Apr 25 13:39:37 galactica sshd[28332]: pam_krb5[28332]: v5 afslog (2b=1) 
failed to "econ.duke.edu"
Apr 25 13:39:37 galactica sshd[28332]: pam_krb5[28332]: got error -1 
(Unknown code ____ 255) while obtaining tokens for econ.duke.edu
Apr 25 13:39:37 galactica sshd[28332]: pam_krb5[28332]: removing ticket 
file '/tmp/tkt0_DfRMqS'
Apr 25 13:39:37 galactica sshd[28332]: pam_krb5[28332]: removing ccache 
file '/tmp/krb5cc_0_QOt6KQ'
Apr 25 13:39:37 galactica sshd[28332]: pam_krb5[28332]: creating v5 
ccache for 'deej'
Apr 25 13:39:37 galactica sshd[28332]: pam_krb5[28332]: saving v5 
credentials to 'FILE:/tmp/krb5cc_1001_d1tFiY'
Apr 25 13:39:37 galactica sshd[28332]: pam_krb5[28332]: created v5 
ccache '/tmp/krb5cc_1001_WN3qGK' for 'deej'
Apr 25 13:39:37 galactica sshd[28332]: pam_krb5[28332]: creating v4 
ticket file for 'deej'
Apr 25 13:39:37 galactica sshd[28332]: pam_krb5[28332]: saving v4 
tickets to '/tmp/tkt1001_vySyzp'
Apr 25 13:39:37 galactica sshd[28332]: pam_krb5[28332]: created v4 
ticket file '/tmp/tkt1001_bA73kJ' for 'deej'
Apr 25 13:39:37 galactica sshd[28332]: pam_krb5[28332]: pam_open_session 
returning 0 (Success)
Apr 25 13:39:37 galactica sshd[28332]: pam_krb5[28332]: configured realm 
'ECON.DUKE.EDU'
Apr 25 13:39:37 galactica sshd[28332]: pam_krb5[28332]: flags: forwardable
Apr 25 13:39:37 galactica sshd[28332]: pam_krb5[28332]: flag: no ignore_afs
Apr 25 13:39:37 galactica sshd[28332]: pam_krb5[28332]: flag: tokens
Apr 25 13:39:37 galactica sshd[28332]: pam_krb5[28332]: flag: user_check
Apr 25 13:39:37 galactica sshd[28332]: pam_krb5[28332]: flag: krb4_convert
Apr 25 13:39:37 galactica sshd[28332]: pam_krb5[28332]: flag: warn
Apr 25 13:39:37 galactica sshd[28332]: pam_krb5[28332]: ticket lifetime: 
86400
Apr 25 13:39:37 galactica sshd[28332]: pam_krb5[28332]: renewable 
lifetime: 86400
Apr 25 13:39:37 galactica sshd[28332]: pam_krb5[28332]: minimum uid: 1000
Apr 25 13:39:37 galactica sshd[28332]: pam_krb5[28332]: banner: Kerberos 5
Apr 25 13:39:37 galactica sshd[28332]: pam_krb5[28332]: ccache dir: /tmp
Apr 25 13:39:37 galactica sshd[28332]: pam_krb5[28332]: keytab: 
/etc/krb5.keytabApr 25 13:39:37 galactica sshd[28332]: pam_krb5[28332]: 
afs cell: econ.duke.edu
Apr 25 13:39:37 galactica sshd[28332]: pam_krb5[28332]: called to update 
credentials for 'deej'
Apr 25 13:39:37 galactica sshd[28332]: pam_krb5[28332]: 
_pam_krb5_sly_refresh returning 0 (Success)

Thanks for any help you may have to offer,
-Dj
--
Dj Merrill
Sportsman 2+2 Builder #7118
"TSA: Totally Screwing Aviation"
_______________________________________________
OpenAFS-info mailing list
OpenAFS-info@openafs.org
https://lists.openafs.org/mailman/listinfo/openafs-info