[OpenAFS] Re: pam_afs_session.so is unable to find Kerberos ticket cache file

Thu, 10 Dec 2009 03:10:12 -0800 

Ok, again replying to my mail. I found this link:

http://www.eyrie.org/~eagle/software/pam-afs-session/docs.html

and added the two options always_aklog aklog_homedir to the line

session optional pam_afs_session.so always_aklog aklog_homedir 
program=/usr/bin/aklog debug

in /etc/pam.d/common-session. But I face the permission denied problem
nevertheless.

The more complete log output of /var/log/auth.log:

===

Dec 10 11:46:31 pia sshd[15877]: nss_ldap: reconnected to LDAP server
ldaps://prag-old.er.heitec.net after 1 attempt
Dec 10 11:46:31 pia sshd[15877]: Authorized to hrauch, krb5 principal
hra...@er.heitec.net (krb5_kuserok)
Dec 10 11:46:31 pia sshd[15877]: Accepted gssapi-with-mic for hrauch
from 10.64.80.14 port 49823 ssh2
Dec 10 11:46:31 pia sshd[15877]: pam_unix(sshd:session): session
opened for user hrauch by (uid=0)
Dec 10 11:46:31 pia sshd[15877]: (pam_krb5): none: pam_sm_setcred:
entry (0x2)
Dec 10 11:46:31 pia sshd[15877]: (pam_krb5): none: no context found,
creating one
Dec 10 11:46:31 pia sshd[15877]: (pam_krb5): hrauch: unable to get
PAM_KRB5CCNAME, assuming non-Kerberos login
Dec 10 11:46:31 pia sshd[15877]: (pam_krb5): none: pam_sm_setcred:
exit (failure)
Dec 10 11:46:31 pia sshd[15877]: (pam_afs_session):
pam_sm_open_session: entry (0x0)
Dec 10 11:46:31 pia sshd[15877]: (pam_afs_session): passing -p
/export/home/people/hrauch to aklog
Dec 10 11:46:31 pia sshd[15877]: (pam_afs_session): running
/usr/bin/aklog as UID 10006
Dec 10 11:46:31 pia sshd[15877]: (pam_afs_session):
pam_sm_open_session: exit (success)

===

Anything suspicious in there?

Thanks again & kind regards,

       Holger

On Thu, 10 Dec 2009, Holger Rauch wrote:

> Rehi,
> 
> replying to my own mail since I came accross this link:
> 
> http://www.mail-archive.com/kerbe...@mit.edu/msg12283.html
> 
> The relevant excerpt from the mail:
> 
> ===
> 
> If you're doing GSSAPI authentication to sshd, this is normal, since
> sshd does ticket cache setup itself in that case and pam_krb5 doesn't
> need to do anything.
> 
> ===
> 
> So, the question is: can pam_afs_session.so (or aklog invoked by
> pam_afs_session.so) use the ticket cache of sshd and how?
> 
> Thanks in advance & kind regards,
> 
>        Holger
> 
> On Thu, 10 Dec 2009, Holger Rauch wrote:
> 
> > Hi to everybody,
> > 
> > The problem I got is that interactive kinit/aklog combos work
> > perfectly, but when I try to log in remotely via ssh, the passwordless
> > login itself works, but a cd to my home dir doesn't occur because
> > pam_afs_session.so is either not considered or doesn't call aklog. The
> > exact error messages read as follows:
> > 
> > Could not chdir to home directory /export/home/people/hrauch: Permission 
> > denied
> > -bash: /export/home/people/hrauch/.bash_profile: Permission denied
> > 
> > As it is now, I have to manully invoke kinit && aklog in order to be
> > able to successfully cd to my home dir. That's exactly what I wanted
> > to avoid.
> > 
> > I googled but found only the hint that one needs to include
> > pam_afs_session.so in the PAM session config, which I did.
> > 
> > The above implies that LDAP setup (used for POSIX account info) 
> > and MIT Kerberos setup (for password maintenance) are configured correctly.
> > SSH is setup to forward Kerberos tickets by using these options in
> > /etc/ssh/ssh_config on the client:
> > 
> > GSSAPIAuthentication yes
> > GSSAPIDelegateCredentials yes
> > 
> > This happens on a Debian Lenny system with openafs packages installed
> > from backports.org in order to circumvent some kind of memory
> > allocation error preventing the openafs kernel module from being loaded.
> > 
> > Here's the list of installed openafs packages obtained via dpkg -l:
> > 
> > ===
> > 
> > ii  libpam-afs-session         1.7-1                      PAM module
> > to set up a PAG and obtain AFS tokens
> > ii  openafs-client             1.4.11+dfsg-5~bpo50+1      AFS
> > distributed filesystem client support
> > ii  openafs-krb5               1.4.11+dfsg-5~bpo50+1      AFS
> > distributed filesystem Kerberos 5 integration
> > ii  openafs-modules-dkms       1.4.11+dfsg-5~bpo50+1      AFS
> > distributed filesystem kernel module DKMS source
> > ii  openafs-modules-source     1.4.11+dfsg-5~bpo50+1      AFS
> > distributed filesystem kernel module source
> > 
> > ===
> > 
> > My PAM config (I have a few "fallback" system accounts too, that's why
> > pam_unix.so is mentioned):
> > 
> > - /etc/pam.d/common-account
> > 
> > ===
> > 
> > account sufficient      pam_unix.so
> > account required        pam_ldap.so minimum_uid=10000 debug
> > account required        pam_krb5.so minimum_uid=10000 ignore_root debug
> > 
> > ===
> > 
> > - /etc/pam.d/common-auth
> > 
> > ===
> > 
> > auth    sufficient        pam_unix.so nullok_secure
> > auth    sufficient        pam_krb5.so use_first_pass minimum_uid=10000
> > ignore_root debug
> > auth    optional          pam_afs_session.so program=/usr/bin/aklog
> > auth    required          pam_deny.so
> > 
> > ===
> > 
> > - /etc/pam.d/common-password
> > 
> > ===
> > 
> > password sufficient   pam_unix.so nullok obscure md5
> > password required pam_krb5.so use_first_pass minimum_uid=10000
> > ignore_root debug
> > 
> > ===
> > 
> > - /etc/pam.d/common-session (I verified the path to aklog)
> > 
> > ===
> > 
> > session required        pam_limits.so
> > session required        pam_unix.so
> > session  optional  pam_krb5.so minimum_uid=10000 ignore_root debug
> > session optional pam_afs_session.so program=/usr/bin/aklog debug
> > 
> > ===
> > 
> > Anything wrong with my PAM config?
> > 
> > /var/log/auth.log tells me:
> > 
> > ===
> > 
> > Dec 10 10:50:33 pia sshd[15641]: (pam_krb5): hrauch: unable to get
> > PAM_KRB5CCNAME, assuming non-Kerberos login
> > Dec 10 10:50:33 pia sshd[15641]: (pam_krb5): none: pam_sm_setcred:
> > exit (failure)
> > Dec 10 10:50:33 pia sshd[15641]: (pam_afs_session):
> > pam_sm_open_session: entry (0x0)
> > Dec 10 10:50:33 pia sshd[15641]: (pam_afs_session): skipping tokens,
> > no Kerberos ticket cache
> > Dec 10 10:50:33 pia sshd[15641]: (pam_afs_session):
> > pam_sm_open_session: exit (success)
> > 
> > ===
> > 
> > Now, the obvious question is: How can I tell sshd or pam_krb5.so about
> > the ticket cache file?
> > 
> > Thanks in advance for any help!
> > 
> > Kind regards,
> > 
> >      Holger
> >      
> 
> 
> --
> =========================================
> Holger Rauch
> Entwicklung Anwendungs-Software
> Systemadministration UNIX
> 
> Tel.: +49 / 9131 / 877 - 141
> Fax: +49 / 9131 / 877 - 266
> Email: holger.ra...@empic.de
> =========================================


--
=========================================
Holger Rauch
Entwicklung Anwendungs-Software
Systemadministration UNIX

Tel.: +49 / 9131 / 877 - 141
Fax: +49 / 9131 / 877 - 266
Email: holger.ra...@empic.de
=========================================

Attachment: signature.asc
Description: Digital signature

Reply via email to