Frode:
The pam_krb5 module that comes with Red Hat should be able to obtain tokens. Note that it may have some bugs:
- it may not work with dynroot enabled - it may not work when you have more than 1 AFS database server
At some point I will try to get patches to Red Hat to fix these issues, but I believe it will work at least if you disable dynroot. (or if you add the name of your cell to the options string in /etc/pam.d/system-auth)
Hi Christopher, I believe I have traced my troubles trying to get an AFS token at login down to this module. I am running RHEL 4 with all the current updates as of 25 Apr 2005. I have the RH supplied version pam_krb5-2.1.2-1 installed. I am using the OpenAfs 1.3.81 client on this machine.
My primary server is a RH 3.4 machine using the current RH 3.4 packages for Krb5 (1.2.7-42). I am running OpenAFS 1.2.13 here. I am able to login to 3.4 machines and get AFS tokens just fine using pam_krb5-1.73-1.
Under RH 4, I can authenticate against Krb 5, but I cannot get an AFS token (talking to the same server that the 3.4 machines work against). I do not have dynroot enabled. After login, I can use the RH supplied "afslog" command to obtain an AFS token successfully.
I have the following as part of my /etc/krb5.conf:
[appdefaults] pam = { debug = true ticket_lifetime = 86400 renew_lifetime = 86400 forwardable = true krb4_convert = true afs_cells = econ.duke.edu minimum_uid = 1000 } afs_krb5 = { ECON.DUKE.EDU = { afs = true } }
and my /etc/pam.d/system-auth file contains:
auth required /lib/security/$ISA/pam_env.so
auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok
auth sufficient /lib/security/$ISA/pam_krb5afs.so use_first_pass tokens afs_cells=econ.duke.edu debug
auth required /lib/security/$ISA/pam_deny.so
account required /lib/security/$ISA/pam_unix.so
account sufficient /lib/security/$ISA/pam_succeed_if.so uid < 100 quiet
account required /lib/security/$ISA/pam_permit.so
password requisite /lib/security/$ISA/pam_cracklib.so retry=3
password sufficient /lib/security/$ISA/pam_unix.so nullok use_authtok md5 shadow
password sufficient /lib/security/$ISA/pam_krb5afs.so use_authtok
password required /lib/security/$ISA/pam_deny.so
session required /lib/security/$ISA/pam_limits.so session required /lib/security/$ISA/pam_unix.so session optional /lib/security/$ISA/pam_krb5afs.so
As per the K5 migration info, I have an afs principal: [EMAIL PROTECTED] however, I note that the pam_krb5afs tries several other combinations, but not this one exactly. For example, it tries [EMAIL PROTECTED], afs/[EMAIL PROTECTED], and afs/[EMAIL PROTECTED]
Could this be where the issue is?
The debug log shows:
Apr 25 13:39:35 galactica sshd[28332]: pam_krb5[28332]: obtaining afs tokens
Apr 25 13:39:35 galactica sshd[28332]: pam_krb5[28332]: obtaining tokens for 'econ.duke.edu'
Apr 25 13:39:35 galactica sshd[28332]: pam_krb5[28332]: attempting to obtain tokens for "econ.duke.edu" ("afs/[EMAIL PROTECTED]")
Apr 25 13:39:35 galactica sshd[28332]: pam_krb5[28332]: attempting to obtain tokens for "econ.duke.edu" ("[EMAIL PROTECTED]")
Apr 25 13:39:35 galactica sshd[28332]: pam_krb5[28332]: attempting to obtain tokens for "econ.duke.edu" ("afs/[EMAIL PROTECTED]")
Apr 25 13:39:35 galactica sshd[28332]: pam_krb5[28332]: attempting to obtain tokens for "econ.duke.edu" ("afsx/[EMAIL PROTECTED]")
Apr 25 13:39:35 galactica sshd[28332]: pam_krb5[28332]: attempting to obtain tokens for "econ.duke.edu" ("[EMAIL PROTECTED]")
Apr 25 13:39:35 galactica sshd[28332]: pam_krb5[28332]: attempting to obtain tokens for "econ.duke.edu" ("afsx/[EMAIL PROTECTED]")
Apr 25 13:39:35 galactica sshd[28332]: pam_krb5[28332]: v5 afslog (2b=0) failed to "econ.duke.edu"
Apr 25 13:39:35 galactica sshd[28332]: pam_krb5[28332]: trying with v4 ticket
Apr 25 13:39:35 galactica sshd[28332]: pam_krb5[28332]: attempting to obtain tokens for "econ.duke.edu" ("[EMAIL PROTECTED]")
Apr 25 13:39:35 galactica sshd[28332]: pam_krb5[28332]: got error 71 (Protocol error) obtaining v4 creds for "econ.duke.edu"
Apr 25 13:39:35 galactica sshd[28332]: pam_krb5[28332]: attempting to obtain tokens for "econ.duke.edu" ("[EMAIL PROTECTED]")
Apr 25 13:39:35 galactica sshd[28332]: pam_krb5[28332]: got error 71 (Protocol error) obtaining v4 creds for "econ.duke.edu"
Apr 25 13:39:35 galactica sshd[28332]: pam_krb5[28332]: attempting to obtain tokens for "econ.duke.edu" ("[EMAIL PROTECTED]")
Apr 25 13:39:35 galactica sshd[28332]: pam_krb5[28332]: got error 8 (Exec format error) obtaining v4 creds for "econ.duke.edu"
Apr 25 13:39:35 galactica sshd[28332]: pam_krb5[28332]: attempting to obtain tokens for "econ.duke.edu" ("[EMAIL PROTECTED]")
Apr 25 13:39:35 galactica sshd[28332]: pam_krb5[28332]: got error 71 (Protocol error) obtaining v4 creds for "econ.duke.edu"
Apr 25 13:39:35 galactica sshd[28332]: pam_krb5[28332]: attempting to obtain tokens for "econ.duke.edu" ("[EMAIL PROTECTED]")
Apr 25 13:39:35 galactica sshd[28332]: pam_krb5[28332]: got error 71 (Protocol error) obtaining v4 creds for "econ.duke.edu"
Apr 25 13:39:35 galactica sshd[28332]: pam_krb5[28332]: attempting to obtain tokens for "econ.duke.edu" ("[EMAIL PROTECTED]")
Apr 25 13:39:35 galactica sshd[28332]: pam_krb5[28332]: got error 8 (Exec format error) obtaining v4 creds for "econ.duke.edu"
Apr 25 13:39:35 galactica sshd[28332]: pam_krb5[28332]: v4 afslog failed to "econ.duke.edu"
Apr 25 13:39:35 galactica sshd[28332]: pam_krb5[28332]: retrying v5 with 2b=1
Apr 25 13:39:35 galactica sshd[28332]: pam_krb5[28332]: attempting to obtain tokens for "econ.duke.edu" ("afs/[EMAIL PROTECTED]")
Apr 25 13:39:35 galactica sshd[28332]: pam_krb5[28332]: attempting to obtain tokens for "econ.duke.edu" ("[EMAIL PROTECTED]")
Apr 25 13:39:35 galactica sshd[28332]: pam_krb5[28332]: attempting to obtain tokens for "econ.duke.edu" ("afs/[EMAIL PROTECTED]")
Apr 25 13:39:35 galactica sshd[28332]: pam_krb5[28332]: attempting to obtain tokens for "econ.duke.edu" ("afsx/[EMAIL PROTECTED]")
Apr 25 13:39:36 galactica sshd[28332]: pam_krb5[28332]: attempting to obtain tokens for "econ.duke.edu" ("[EMAIL PROTECTED]")
Apr 25 13:39:36 galactica sshd[28332]: pam_krb5[28332]: attempting to obtain tokens for "econ.duke.edu" ("afsx/[EMAIL PROTECTED]")
Apr 25 13:39:36 galactica sshd[28332]: pam_krb5[28332]: v5 afslog (2b=1) failed to "econ.duke.edu"
Apr 25 13:39:36 galactica sshd[28332]: pam_krb5[28332]: got error -1 (Unknown code ____ 255) while obtaining tokens for econ.duke.edu
Apr 25 13:39:36 galactica sshd[28332]: pam_krb5[28332]: obtaining tokens for 'econ.duke.edu'
Apr 25 13:39:36 galactica sshd[28332]: pam_krb5[28332]: attempting to obtain tokens for "econ.duke.edu" ("afs/[EMAIL PROTECTED]")
Apr 25 13:39:36 galactica sshd[28332]: pam_krb5[28332]: attempting to obtain tokens for "econ.duke.edu" ("[EMAIL PROTECTED]")
Apr 25 13:39:36 galactica sshd[28332]: pam_krb5[28332]: attempting to obtain tokens for "econ.duke.edu" ("afs/[EMAIL PROTECTED]")
Apr 25 13:39:36 galactica sshd[28332]: pam_krb5[28332]: attempting to obtain tokens for "econ.duke.edu" ("afsx/[EMAIL PROTECTED]")
Apr 25 13:39:36 galactica sshd[28332]: pam_krb5[28332]: attempting to obtain tokens for "econ.duke.edu" ("[EMAIL PROTECTED]")
Apr 25 13:39:36 galactica sshd[28332]: pam_krb5[28332]: attempting to obtain tokens for "econ.duke.edu" ("afsx/[EMAIL PROTECTED]")
Apr 25 13:39:36 galactica sshd[28332]: pam_krb5[28332]: v5 afslog (2b=0) failed to "econ.duke.edu"
Apr 25 13:39:36 galactica sshd[28332]: pam_krb5[28332]: trying with v4 ticket
Apr 25 13:39:36 galactica sshd[28332]: pam_krb5[28332]: attempting to obtain tokens for "econ.duke.edu" ("[EMAIL PROTECTED]")
Apr 25 13:39:36 galactica sshd[28332]: pam_krb5[28332]: got error 71 (Protocol error) obtaining v4 creds for "econ.duke.edu"
Apr 25 13:39:36 galactica sshd[28332]: pam_krb5[28332]: attempting to obtain tokens for "econ.duke.edu" ("[EMAIL PROTECTED]")
Apr 25 13:39:36 galactica sshd[28332]: pam_krb5[28332]: got error 71 (Protocol error) obtaining v4 creds for "econ.duke.edu"
Apr 25 13:39:36 galactica sshd[28332]: pam_krb5[28332]: attempting to obtain tokens for "econ.duke.edu" ("[EMAIL PROTECTED]")
Apr 25 13:39:36 galactica sshd[28332]: pam_krb5[28332]: got error 8 (Exec format error) obtaining v4 creds for "econ.duke.edu"
Apr 25 13:39:36 galactica sshd[28332]: pam_krb5[28332]: attempting to obtain tokens for "econ.duke.edu" ("[EMAIL PROTECTED]")
Apr 25 13:39:36 galactica sshd[28332]: pam_krb5[28332]: got error 71 (Protocol error) obtaining v4 creds for "econ.duke.edu"
Apr 25 13:39:36 galactica sshd[28332]: pam_krb5[28332]: attempting to obtain tokens for "econ.duke.edu" ("[EMAIL PROTECTED]")
Apr 25 13:39:36 galactica sshd[28332]: pam_krb5[28332]: got error 71 (Protocol error) obtaining v4 creds for "econ.duke.edu"
Apr 25 13:39:36 galactica sshd[28332]: pam_krb5[28332]: attempting to obtain tokens for "econ.duke.edu" ("[EMAIL PROTECTED]")
Apr 25 13:39:36 galactica sshd[28332]: pam_krb5[28332]: got error 8 (Exec format error) obtaining v4 creds for "econ.duke.edu"
Apr 25 13:39:36 galactica sshd[28332]: pam_krb5[28332]: v4 afslog failed to "econ.duke.edu"
Apr 25 13:39:36 galactica sshd[28332]: pam_krb5[28332]: retrying v5 with 2b=1
Apr 25 13:39:36 galactica sshd[28332]: pam_krb5[28332]: attempting to obtain tokens for "econ.duke.edu" ("afs/[EMAIL PROTECTED]")
Apr 25 13:39:36 galactica sshd[28332]: pam_krb5[28332]: attempting to obtain tokens for "econ.duke.edu" ("[EMAIL PROTECTED]")
Apr 25 13:39:36 galactica sshd[28332]: pam_krb5[28332]: attempting to obtain tokens for "econ.duke.edu" ("afs/[EMAIL PROTECTED]")
Apr 25 13:39:36 galactica sshd[28332]: pam_krb5[28332]: attempting to obtain tokens for "econ.duke.edu" ("afsx/[EMAIL PROTECTED]")
Apr 25 13:39:36 galactica sshd[28332]: pam_krb5[28332]: attempting to obtain tokens for "econ.duke.edu" ("[EMAIL PROTECTED]")
Apr 25 13:39:37 galactica sshd[28332]: pam_krb5[28332]: attempting to obtain tokens for "econ.duke.edu" ("afsx/[EMAIL PROTECTED]")
Apr 25 13:39:37 galactica sshd[28332]: pam_krb5[28332]: v5 afslog (2b=1) failed to "econ.duke.edu"
Apr 25 13:39:37 galactica sshd[28332]: pam_krb5[28332]: got error -1 (Unknown code ____ 255) while obtaining tokens for econ.duke.edu
Apr 25 13:39:37 galactica sshd[28332]: pam_krb5[28332]: removing ticket file '/tmp/tkt0_DfRMqS'
Apr 25 13:39:37 galactica sshd[28332]: pam_krb5[28332]: removing ccache file '/tmp/krb5cc_0_QOt6KQ'
Apr 25 13:39:37 galactica sshd[28332]: pam_krb5[28332]: creating v5 ccache for 'deej'
Apr 25 13:39:37 galactica sshd[28332]: pam_krb5[28332]: saving v5 credentials to 'FILE:/tmp/krb5cc_1001_d1tFiY'
Apr 25 13:39:37 galactica sshd[28332]: pam_krb5[28332]: created v5 ccache '/tmp/krb5cc_1001_WN3qGK' for 'deej'
Apr 25 13:39:37 galactica sshd[28332]: pam_krb5[28332]: creating v4 ticket file for 'deej'
Apr 25 13:39:37 galactica sshd[28332]: pam_krb5[28332]: saving v4 tickets to '/tmp/tkt1001_vySyzp'
Apr 25 13:39:37 galactica sshd[28332]: pam_krb5[28332]: created v4 ticket file '/tmp/tkt1001_bA73kJ' for 'deej'
Apr 25 13:39:37 galactica sshd[28332]: pam_krb5[28332]: pam_open_session returning 0 (Success)
Apr 25 13:39:37 galactica sshd[28332]: pam_krb5[28332]: configured realm 'ECON.DUKE.EDU'
Apr 25 13:39:37 galactica sshd[28332]: pam_krb5[28332]: flags: forwardable
Apr 25 13:39:37 galactica sshd[28332]: pam_krb5[28332]: flag: no ignore_afs
Apr 25 13:39:37 galactica sshd[28332]: pam_krb5[28332]: flag: tokens
Apr 25 13:39:37 galactica sshd[28332]: pam_krb5[28332]: flag: user_check
Apr 25 13:39:37 galactica sshd[28332]: pam_krb5[28332]: flag: krb4_convert
Apr 25 13:39:37 galactica sshd[28332]: pam_krb5[28332]: flag: warn
Apr 25 13:39:37 galactica sshd[28332]: pam_krb5[28332]: ticket lifetime: 86400
Apr 25 13:39:37 galactica sshd[28332]: pam_krb5[28332]: renewable lifetime: 86400
Apr 25 13:39:37 galactica sshd[28332]: pam_krb5[28332]: minimum uid: 1000
Apr 25 13:39:37 galactica sshd[28332]: pam_krb5[28332]: banner: Kerberos 5
Apr 25 13:39:37 galactica sshd[28332]: pam_krb5[28332]: ccache dir: /tmp
Apr 25 13:39:37 galactica sshd[28332]: pam_krb5[28332]: keytab: /etc/krb5.keytabApr 25 13:39:37 galactica sshd[28332]: pam_krb5[28332]: afs cell: econ.duke.edu
Apr 25 13:39:37 galactica sshd[28332]: pam_krb5[28332]: called to update credentials for 'deej'
Apr 25 13:39:37 galactica sshd[28332]: pam_krb5[28332]: _pam_krb5_sly_refresh returning 0 (Success)
Thanks for any help you may have to offer,
-Dj
-- Dj Merrill Sportsman 2+2 Builder #7118
"TSA: Totally Screwing Aviation" _______________________________________________ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info