Do your systems have keytabs on them, with host instances? Using Kerberos for login requires a validation step; it's not enough just to get a ticket, because it's an opaque blob that you can't verify directly (and so might have been injected by an attacker). The only way to validate it is to attempt to use it to authenticate to a service; so pam_krb5, after getting your TGT, uses it to get a service ticket for the host you're logging in to and then uses the copy of the service key in /etc/krb5.keytab to decrypt the service ticket. If this fails, login is rejected.
If the host you're logging in to doesn’t have a keytab then you will need to make one. I can't help you with this for AD, aside from noting that this will usually be created from an AD machine account, that is, joining the machine to the AD domain using e.g. Samba. (I think it is also possible to create the account directly and extract the keytab, but I don't know any details.) Winbind uses a different (and less secure: while it is encrypted, the key is fixed and well known) mechanism. -----Original Message----- From: zhaoxy...@ustc.edu.cn [mailto:zhaoxy...@ustc.edu.cn] Sent: Sunday, May 8, 2016 10:31 PM To: Benjamin Kaduk <ka...@mit.edu> Cc: openafs-info@openafs.org; Brandon Allbery <ballb...@sinenomine.net> Subject: Re: Re: Re: RE: [OpenAFS] ad+openafs hi, sorry,i need to add something . i have three servers. ad +kerberos win2008 nis server openafs server linux redhat 6.7 nis slave openafs client linux redhat 6.7 i can use the ad accounts to login the linux server and can get tokens.but the pam configuration with pam_krb5 seems not working.if i use ad+winbind+openafs,the pam configuraiton with pam_krb5 is working fine.do i miss some pam packages? > > hi, > i modified the /etc/pam.d/system-auth file ,but it did not work,how can i > debug this error?Are there any other files that need to be modified? > > root@test-afs002 cai]# vi /etc/pam.d/system-auth > #%PAM-1.0 > # This file is auto-generated. > # User changes will be destroyed the next time authconfig is run. > auth required pam_env.so > auth sufficient pam_unix.so nullok try_first_pass > auth requisite pam_succeed_if.so uid >= 500 quiet > auth sufficient pam_krb5.afs.so use_first_pass ignore_root > auth required pam_deny.so > > account required pam_unix.so broken_shadow > account sufficient pam_succeed_if.so uid < 500 quiet > account [default=bad success=ok user_unknown=ignore] pam_krb5.so > account [default=bad success=ok user_unknown=ignore] pam_winbind.so > cached_login > account required pam_permit.so > > password requisite pam_cracklib.so try_first_pass retry=3 type= > password sufficient pam_unix.so md5 shadow nullok try_first_pass > use_authtok > password sufficient pam_krb5afs.so use_authtok > password sufficient pam_winbind.so cached_login use_authtok > password required pam_deny.so > > session optional pam_keyinit.so revoke > session required pam_limits.so > session optional pam_oddjob_mkhomedir.so umask=0077 > session [success=1 default=ignore] pam_succeed_if.so service in crond > quiet use_uid > session required pam_unix.so > session optional pam_krb5afs.so > > ~ > > > > > -----原始邮件----- > > 发件人: "Benjamin Kaduk" <ka...@mit.edu> > > 发送时间: 2016-05-06 23:17:46 (星期五) > > 收件人: zhaoxy...@ustc.edu.cn > > 抄送: > > 主题: Re: RE: [OpenAFS] ad+openafs > > > > You should keep the list cc'd for this thread; there are many other > > people with more experience in this regardn than me. > > > > That said, it sounds like you want pam_krb5 and pam_afs_session on > > the linux client, with some configuration knobs set accordingly. > > > > -Ben > > > > On Thu, 5 May 2016, zhaoxy...@ustc.edu.cn wrote: > > > > > > > > hi, > > > the system works now,but i want to get tokens when i login the linux > > > system without input the kinit and aklog command,how can i achieve this > > > goal?do i need to install some packages? > > > > > > sotfware configuration : ad(win 2008 server ) + nis+ openafs > > > 1.6.14 > > > > > > > -----原始邮件----- > > > > 发件人: "Benjamin Kaduk" <ka...@mit.edu> > > > > 发送时间: 2016-05-04 13:44:00 (星期三) > > > > 收件人: "Brandon Allbery" <ballb...@sinenomine.net> > > > > 抄送: "zhaoxy...@ustc.edu.cn" <zhaoxy...@ustc.edu.cn>, > > > > "openafs-info@openafs.org" <openafs-info@openafs.org> > > > > 主题: RE: [OpenAFS] ad+openafs > > > > > > > > 1.6.14 doesn't need to have single-DES enabled; we shouldn't be > > > > recommending it. The rxkad.keytab method should work fine with AES > > > > keys. > > > > > > > > -Ben > > > > > > > > On Tue, 3 May 2016, Brandon Allbery wrote: > > > > > > > > > -1765328370 is KRB5KDC_ERR_ETYPE_NOSUPP. This often means that > > > > > DES is disabled somewhere. Note that the client library *also* > > > > > needs DES enabled; you might need to add to the [libdefaults] > > > > > section of /etc/krb5.conf on the RH system, > > > > > > > > > > allow_weak_crypto = true > > > > > > > > > > From: openafs-info-ad...@openafs.org > > > > > [mailto:openafs-info-ad...@openafs.org] On Behalf Of > > > > > zhaoxy...@ustc.edu.cn > > > > > Sent: Tuesday, May 3, 2016 4:39 AM > > > > > To: openafs-info@openafs.org > > > > > Subject: [OpenAFS] ad+openafs > > > > > > > > > > > > > > > hi > > > > > > > > > > i install openafs1.6.14 on redhat 6.7 and i want to use the ad as > > > > > krb5 auth . > > > > > > > > > > here is my steps: > > > > > > > > > > 1 install openafs1.6.14 on redhat6.7 > > > > > > > > > > 2 install ad on windows 2008 r2 > > > > > > > > > > 3 ktpass -princ afs/cellname@ADDOMAINNAME -mapuser > > > > > afscell@ADDOMAINNAME \ -mapOp add -out afs-keytab +rndPass > > > > > -crypto DES-CBC-CRC +DesOnly \ -ptype KRB5_NT_PRINCIPAL > > > > > +DumpSalt ) > > > > > > > > > > 4 use kinit wang > > > > > > > > > > aklog > > > > > > > > > > [root@test-afs002 ]# klist -e -f Ticket cache: > > > > > FILE:/tmp/krb5cc_0 Default principal: > > > > > w...@pc.com<mailto:w...@pc.com> > > > > > > > > > > Valid starting Expires Service principal > > > > > 05/03/16 16:26:46 05/04/16 02:26:33 > > > > > krbtgt/pc....@pc.com<mailto:krbtgt/pc....@pc.com> > > > > > renew until 05/10/16 16:26:46, Flags: FRIA > > > > > Etype (skey, tkt): aes256-cts-hmac-sha1-96, > > > > > aes256-cts-hmac-sha1-96 > > > > > 05/03/16 16:27:04 05/04/16 02:26:33 > > > > > afs/pc....@pc.com<mailto:afs/pc....@pc.com> > > > > > renew until 05/10/16 16:26:46, Flags: FRA > > > > > Etype (skey, tkt): arcfour-hmac, arcfour-hmac > > > > > [root@test-afs002 ]# ls /afs/pc.com/ > > > > > ls: cannot open directory /afs/pc.com/: Permission denied > > > > > [root@test-afs002 ]# > > > > > > > > > > if Create a afs user in the AD as a normal user with the login > > > > > afs, set user cannot change passwordd, password never expires. > > > > > Try to set "Use Kerberos DES encryption types for this > > > > > account" on the Account tab. then when i use the command > > > > > > > > > > [root@test-afs002 ]# kinit wang Password for > > > > > w...@pc.com<mailto:w...@pc.com>: > > > > > [root@test-afs002 ]# aklog > > > > > aklog: Couldn't get pc.com AFS tickets: > > > > > aklog: unknown RPC error (-1765328370) while getting AFS > > > > > tickets > > > > > [root@test-afs002 ]# > > > > > > > > > > i configure the ad follow the web > > > > > https://wiki.openafs.org/win2008r2adaskdc/,but i can't find what is > > > > > wrong with me ?can you tell me ? > > > > > > > > > > thanks > > > > > > > > > > > > > > > > > >
