https://lists.openafs.org/pipermail/afs3-standardization/2013-July/002738.html
The version of pam_krb5 that supports rxkad-kdf contains a minikafs_kd_derive() function at minikafs.c line 775.
See https://github.com/frozencemetery/pam_krb5.As mentioned in my prior reply pam_krb5 should not be used in conjunction with sssd.
Jeffrey Altman On 7/8/2022 8:35 AM, Stephan Wonczak (a0...@rrz.uni-koeln.de) wrote:
Hi everyone! (Berthold's colleague here)We dug a little deeper and found the part in the pam_krb5-sources where it fails. It is in the file "minikafs.c" starting in line 775. It looks like the call to krb5_get_credentials() gets a non-zero return value, thus making it bail out. The problem is that we (well, at least me!) have no idea which enctype is expected, and which enctypes are actually tried. Debug output is not too helpful here. Any ideas on how to get useful information? (I should mention I am waaay out of depth here with my knowledge of Kerberos, and my C-fu is severely lacking, too ;-) )To be absolutley clear: We can ssh-login to the machine running this pam_krb.so-module, and get a valid krb5-ticket. No AFS-token after login, thus no access to AFS. If I do "klog.krb5", I -do- get an AFS-Token without any issues, and AFS-access starts working as it should. It's maddening that only pam_krb5 complains, while other tools work out of the box.Any advice would be greatly appreciated! Stephan On Fri, 8 Jul 2022, Berthold Cogel wrote:Am 07.07.22 um 19:04 schrieb Dirk Heinrichs:Benjamin Kaduk:Are you aware of pam_afs_session (https://github.com/rra/pam-afs-session)? Without knowing more about what you're using pam_krb5 for it's hard to make specific suggestions about what alternatives might exist.BTW: pam_krb5 != pam_krb5. There are two different modules with the samename out there. The one shipped with RedHat family distributions comes with integrated AFS support, while the one shipped with Debian family distributions doesn't. That's the reason why Debian also ships pam_afs_session and RH does not. Bye... DirkWe're using the pam_krb5 shipped with Red Hat.I've rebuild the module from the RHEL 7 source rpm on RHEL 8. And it seems to work.... for some value of working....Supported enctypes in our kdc: aes256-cts-hmac-sha1-96:normal des-cbc-crc:normal des:afs3We 'rekeyed' our AFS environment with aes256-cts-hmac-sha1-96:normal to get connections from newer Ubuntu/Debian and Fedora 35 working.We get a krb5 ticket and a login, but getting the AFS token gives errors:"error obtaining credentials for 'afs/rrz.uni-koeln...@rrz.uni-koeln.de' (enctype=1) on behalf of ....: No credentials found with supported encryption types"Same for two other enctypes. So something else changed in RHEL 8, which we haven't found yet. Regards Berthold _______________________________________________ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-infoDipl. Chem. Dr. Stephan Wonczak Regionales Rechenzentrum der Universitaet zu Koeln (RRZK) Universitaet zu Koeln, Weyertal 121, 50931 Koeln Tel: +49/(0)221/470-89583, Fax: +49/(0)221/470-89625
smime.p7s
Description: S/MIME Cryptographic Signature
