Re: [OpenAFS] How to replace pam_krb5 on RHEL 8 systems
On 7/8/2022 6:57 AM, Jeffrey E Altman wrote: Use of the RHEL7 pam_krb5 on a sssd enabled system will do the wrong thing since its going to step on the toes of sssd's Kerberos ticket processing. Only if you let sssd touch Kerberos. There are any number of reasons not to let it do so (no clue if the KRB5 and LDAP problems are fixed in later versions, but the EL8 code was written by crazed weasels on crack). But I'd use Russ' pam_krb5 instead of one from EL7 (https://www.eyrie.org/~eagle/software/pam-krb5/pam-krb5.html), which would probably require you use pam_afs_session as suggested (unless I'm missing something in the docs, which is very possible). -- Carson ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] How to replace pam_krb5 on RHEL 8 systems
Jeffrey E Altman: > Red Hat's pam_krb5 is not shipped nor supported for RHEL8 (or later). Ah, OK. As a non-RH user, I wasn't aware they threw it out. Thanks for clarifying. > The replacement is sssd which supports Kerberos ticket acquisition but > not AFS token acquisition. The recommendation for acquiring AFS tokens > on sssd enabled systems is to use pam_afs_session Yep, that's what I also do on my sssd-enabled (because of AD) Debian systems. Bye... Dirk -- Dirk Heinrichs Matrix-Adresse: @heini:chat.altum.de GPG Public Key: 80F1540E03A3968F3D79C382853C32C427B48049 Privacy Handbuch: https://www.privacy-handbuch.de OpenPGP_signature Description: OpenPGP digital signature
Re: [OpenAFS] How to replace pam_krb5 on RHEL 8 systems
Stephan Wonczak: > Any advice would be greatly appreciated! As Benjamin wrote: Try pam_afs_session. Should be added to the "auth" and "session" blocks of your PAM setup. https://packages.debian.org/bullseye/libpam-afs-session https://www.eyrie.org/~eagle/software/pam-afs-session HTH... Dirk -- Dirk Heinrichs Matrix-Adresse: @heini:chat.altum.de GPG Public Key: 80F1540E03A3968F3D79C382853C32C427B48049 Privacy Handbuch: https://www.privacy-handbuch.de OpenPGP_signature Description: OpenPGP digital signature
Re: [OpenAFS] How to replace pam_krb5 on RHEL 8 systems
Sounds like the version of pam_krb5 you are attempting to build does not include support for rxkad-kdf. https://lists.openafs.org/pipermail/afs3-standardization/2013-July/002738.html The version of pam_krb5 that supports rxkad-kdf contains a minikafs_kd_derive() function at minikafs.c line 775. See https://github.com/frozencemetery/pam_krb5. As mentioned in my prior reply pam_krb5 should not be used in conjunction with sssd. Jeffrey Altman On 7/8/2022 8:35 AM, Stephan Wonczak (a0...@rrz.uni-koeln.de) wrote: Hi everyone! (Berthold's colleague here) We dug a little deeper and found the part in the pam_krb5-sources where it fails. It is in the file "minikafs.c" starting in line 775. It looks like the call to krb5_get_credentials() gets a non-zero return value, thus making it bail out. The problem is that we (well, at least me!) have no idea which enctype is expected, and which enctypes are actually tried. Debug output is not too helpful here. Any ideas on how to get useful information? (I should mention I am waaay out of depth here with my knowledge of Kerberos, and my C-fu is severely lacking, too ;-) ) To be absolutley clear: We can ssh-login to the machine running this pam_krb.so-module, and get a valid krb5-ticket. No AFS-token after login, thus no access to AFS. If I do "klog.krb5", I -do- get an AFS-Token without any issues, and AFS-access starts working as it should. It's maddening that only pam_krb5 complains, while other tools work out of the box. Any advice would be greatly appreciated! Stephan On Fri, 8 Jul 2022, Berthold Cogel wrote: Am 07.07.22 um 19:04 schrieb Dirk Heinrichs: Benjamin Kaduk: Are you aware of pam_afs_session (https://github.com/rra/pam-afs-session)? Without knowing more about what you're using pam_krb5 for it's hard to make specific suggestions about what alternatives might exist. BTW: pam_krb5 != pam_krb5. There are two different modules with the same name out there. The one shipped with RedHat family distributions comes with integrated AFS support, while the one shipped with Debian family distributions doesn't. That's the reason why Debian also ships pam_afs_session and RH does not. Bye... Dirk We're using the pam_krb5 shipped with Red Hat. I've rebuild the module from the RHEL 7 source rpm on RHEL 8. And it seems to work for some value of working Supported enctypes in our kdc: aes256-cts-hmac-sha1-96:normal des-cbc-crc:normal des:afs3 We 'rekeyed' our AFS environment with aes256-cts-hmac-sha1-96:normal to get connections from newer Ubuntu/Debian and Fedora 35 working. We get a krb5 ticket and a login, but getting the AFS token gives errors: "error obtaining credentials for 'afs/rrz.uni-koeln...@rrz.uni-koeln.de' (enctype=1) on behalf of : No credentials found with supported encryption types" Same for two other enctypes. So something else changed in RHEL 8, which we haven't found yet. Regards Berthold ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info Dipl. Chem. Dr. Stephan Wonczak Regionales Rechenzentrum der Universitaet zu Koeln (RRZK) Universitaet zu Koeln, Weyertal 121, 50931 Koeln Tel: +49/(0)221/470-89583, Fax: +49/(0)221/470-89625 smime.p7s Description: S/MIME Cryptographic Signature
Re: [OpenAFS] How to replace pam_krb5 on RHEL 8 systems
On 7/7/2022 1:04 PM, Dirk Heinrichs (dirk.heinri...@altum.de) wrote: Benjamin Kaduk: Are you aware of pam_afs_session (https://github.com/rra/pam-afs-session)? Without knowing more about what you're using pam_krb5 for it's hard to make specific suggestions about what alternatives might exist. BTW: pam_krb5 != pam_krb5. There are two different modules with the same name out there. The one shipped with RedHat family distributions comes with integrated AFS support, while the one shipped with Debian family distributions doesn't. That's the reason why Debian also ships pam_afs_session and RH does not. Bye... Dirk Red Hat's pam_krb5 is not shipped nor supported for RHEL8 (or later). The replacement is sssd which supports Kerberos ticket acquisition but not AFS token acquisition. The recommendation for acquiring AFS tokens on sssd enabled systems is to use pam_afs_session https://github.com/SSSD/sssd/issues/1505 "Support/Cache OpenAFS Authentication" Use of the RHEL7 pam_krb5 on a sssd enabled system will do the wrong thing since its going to step on the toes of sssd's Kerberos ticket processing. pam-afs-session is the correct tool to use on RHEL8 and later. The pam-afs-session bundled with AuriStorFS clients is known to acquire tokens in conjunction with sssd. The primary differences between AuriStorFS pam_afs_session and Russ' are code quality improvements and use of external aklog and unlog instead of built-ins. Jeffrey Altman smime.p7s Description: S/MIME Cryptographic Signature
Re: [OpenAFS] How to replace pam_krb5 on RHEL 8 systems
Hi everyone! (Berthold's colleague here) We dug a little deeper and found the part in the pam_krb5-sources where it fails. It is in the file "minikafs.c" starting in line 775. It looks like the call to krb5_get_credentials() gets a non-zero return value, thus making it bail out. The problem is that we (well, at least me!) have no idea which enctype is expected, and which enctypes are actually tried. Debug output is not too helpful here. Any ideas on how to get useful information? (I should mention I am waaay out of depth here with my knowledge of Kerberos, and my C-fu is severely lacking, too ;-) ) To be absolutley clear: We can ssh-login to the machine running this pam_krb.so-module, and get a valid krb5-ticket. No AFS-token after login, thus no access to AFS. If I do "klog.krb5", I -do- get an AFS-Token without any issues, and AFS-access starts working as it should. It's maddening that only pam_krb5 complains, while other tools work out of the box. Any advice would be greatly appreciated! Stephan On Fri, 8 Jul 2022, Berthold Cogel wrote: Am 07.07.22 um 19:04 schrieb Dirk Heinrichs: Benjamin Kaduk: Are you aware of pam_afs_session (https://github.com/rra/pam-afs-session)? Without knowing more about what you're using pam_krb5 for it's hard to make specific suggestions about what alternatives might exist. BTW: pam_krb5 != pam_krb5. There are two different modules with the same name out there. The one shipped with RedHat family distributions comes with integrated AFS support, while the one shipped with Debian family distributions doesn't. That's the reason why Debian also ships pam_afs_session and RH does not. Bye... Dirk We're using the pam_krb5 shipped with Red Hat. I've rebuild the module from the RHEL 7 source rpm on RHEL 8. And it seems to work for some value of working Supported enctypes in our kdc: aes256-cts-hmac-sha1-96:normal des-cbc-crc:normal des:afs3 We 'rekeyed' our AFS environment with aes256-cts-hmac-sha1-96:normal to get connections from newer Ubuntu/Debian and Fedora 35 working. We get a krb5 ticket and a login, but getting the AFS token gives errors: "error obtaining credentials for 'afs/rrz.uni-koeln...@rrz.uni-koeln.de' (enctype=1) on behalf of : No credentials found with supported encryption types" Same for two other enctypes. So something else changed in RHEL 8, which we haven't found yet. Regards Berthold ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info Dipl. Chem. Dr. Stephan Wonczak Regionales Rechenzentrum der Universitaet zu Koeln (RRZK) Universitaet zu Koeln, Weyertal 121, 50931 Koeln Tel: +49/(0)221/470-89583, Fax: +49/(0)221/470-89625
Re: [OpenAFS] How to replace pam_krb5 on RHEL 8 systems
Am 08.07.22 um 11:24 schrieb Berthold Cogel: We're using the pam_krb5 shipped with Red Hat. I've rebuild the module from the RHEL 7 source rpm on RHEL 8. And it seems to work for some value of working Supported enctypes in our kdc: aes256-cts-hmac-sha1-96:normal des-cbc-crc:normal des:afs3 We 'rekeyed' our AFS environment with aes256-cts-hmac-sha1-96:normal to get connections from newer Ubuntu/Debian and Fedora 35 working. We get a krb5 ticket and a login, but getting the AFS token gives errors: "error obtaining credentials for 'afs/rrz.uni-koeln...@rrz.uni-koeln.de' (enctype=1) on behalf of : No credentials found with supported encryption types" Same for two other enctypes. So something else changed in RHEL 8, which we haven't found yet. I forgot to add, that klog.krb5 is getting a token after login... ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] How to replace pam_krb5 on RHEL 8 systems
Am 07.07.22 um 19:04 schrieb Dirk Heinrichs: Benjamin Kaduk: Are you aware of pam_afs_session (https://github.com/rra/pam-afs-session)? Without knowing more about what you're using pam_krb5 for it's hard to make specific suggestions about what alternatives might exist. BTW: pam_krb5 != pam_krb5. There are two different modules with the same name out there. The one shipped with RedHat family distributions comes with integrated AFS support, while the one shipped with Debian family distributions doesn't. That's the reason why Debian also ships pam_afs_session and RH does not. Bye... Dirk We're using the pam_krb5 shipped with Red Hat. I've rebuild the module from the RHEL 7 source rpm on RHEL 8. And it seems to work for some value of working Supported enctypes in our kdc: aes256-cts-hmac-sha1-96:normal des-cbc-crc:normal des:afs3 We 'rekeyed' our AFS environment with aes256-cts-hmac-sha1-96:normal to get connections from newer Ubuntu/Debian and Fedora 35 working. We get a krb5 ticket and a login, but getting the AFS token gives errors: "error obtaining credentials for 'afs/rrz.uni-koeln...@rrz.uni-koeln.de' (enctype=1) on behalf of : No credentials found with supported encryption types" Same for two other enctypes. So something else changed in RHEL 8, which we haven't found yet. Regards Berthold ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info