Re: [OpenAFS] AIX 5.3 and aklog_dynamic_auth fail
Thanks for your help. It did the trick ;-) -- Remi Ferrand | Institut National de Physique Nucleaire Tel. +33(0)4.78.93.08.80 | et de Physique des Particules Fax. +33(0)4.72.69.41.70 | Centre de Calcul - http://cc.in2p3.fr/ On Fri, 2009-06-19 at 07:47 -0600, Karen Eldredge wrote: > We moved both the aklog and aklog_dynamic_auth to /usr/vice/etc, and we use > LDAP as the backend. > > Our methods file looks like this: > > LDAP: > program = /usr/lib/security/LDAP > program_64 =/usr/lib/security/LDAP64 > > KRB5: > program = /usr/lib/security/KRB5 > program_64 = /usr/lib/security/KRB5_64 > options = authonly,kadmind=no > > KRB5LDAP: > options = db=LDAP,auth=KRB5 > > K5AFS: > program = /usr/vice/etc/aklog_dynamic_auth > options = authonly > > Our user entries look like this: > > USERID: > SYSTEM = "(KRB5LDAP[SUCCESS] and K5AFS) OR KRB5LDAP" > registry = KRB5LDAP > > > If you don't use LDAP, then the options = db=LDAP and KRB5LDAP will be > different. Hope this helps. [...] ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] AIX 5.3 and aklog_dynamic_auth fail
On Jun 19, 2009, at 5:17 AM, Remi Ferrand wrote: However I still have the same error when an ssh connection is tried : (from AFS AIX client machine) Jun 19 11:09:59 ccdvrs03 auth|security:debug sshd[385070]: LAM aklog loaded: uid 0 pag -1 Jun 19 11:09:59 ccdvrs03 auth|security:debug sshd[385070]: LAM aklog starting: user testkrb5 uid 0 Jun 19 11:09:59 ccdvrs03 auth|security:err|error sshd[385070]: LAM aklog: get_credv5 returns -1765328352 Jun 19 11:09:59 ccdvrs03 auth|security:info sshd[385070]: Failed password for USERTEST from 134.158.71.108 port 48307 ssh2 Jun 19 11:09:59 ccdvrs03 auth|security:info syslog: ssh: failed login attempt for USERTEST from .Y.fr (From my KDCs logs) Jun 19 11:14:29 cckrb01.in2p3.fr krb5kdc[26295](info): TGS_REQ (1 etypes {1}) 134.158.105.107: PROCESS_TGS: authtime 0, for afs/test.in2p3...@test.in2p3.fr, Ticket expired Jun 19 11:14:29 cckrb01.in2p3.fr krb5kdc[26295](info): TGS_REQ (1 etypes {1}) 134.158.105.107: PROCESS_TGS: authtime 0, for afs/test.in2p3...@test.in2p3.fr, Ticket expired If those are the matching log entries, I'd suggest checking the clock on both machines.. 11:09:59 vs 11:14:29 is enough of a time difference to cause issues. If I set my clock to be 4m 30s behind, I get 'ticket expired' versus 'clock skew too great'. -- Mike Garrison ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] AIX 5.3 and aklog_dynamic_auth fail
On Fri, Jun 19, 2009 at 5:17 AM, Remi Ferrand wrote: > Hye everyone, > > I'm working on AIX 5.3, with OpenAFS v1.4.10 / AIX NAS Kerberos 5. > > My AFS cell is online and functionnal with Kerberos 5 (kinit + aklog OR > klog.krb5 works fine). I can obtain a Kerberos 5 ticket and extract an > AFS Token from it without any problem. > > I'm now trying to obtain an AFS token as soon as I "ssh" into my AFS > client. > I could find a ChangeLog saying that AIX LAM Module "aklog_dynamic_auth" > is now fully functionnal > (http://www.openafs.org/frameset/dl/openafs/1.4.10/ChangeLog ) and could > do this stuff. > > The LAM compilation plugin went fine (no error). > When I re-start my SSH daemon, LAM plugin is correctly loaded. > > However I still have the same error when an ssh connection is tried : > > (from AFS AIX client machine) > Jun 19 11:09:59 ccdvrs03 auth|security:debug sshd[385070]: LAM aklog > loaded: uid 0 pag -1 > Jun 19 11:09:59 ccdvrs03 auth|security:debug sshd[385070]: LAM aklog > starting: user testkrb5 uid 0 > Jun 19 11:09:59 ccdvrs03 auth|security:err|error sshd[385070]: LAM > aklog: get_credv5 returns -1765328352 #define KRB5KRB_AP_ERR_TKT_EXPIRED (-1765328352L) Your configs below don't appear to actually get a ticket, they just try to aklog.
Re: [OpenAFS] AIX 5.3 and aklog_dynamic_auth fail
We moved both the aklog and aklog_dynamic_auth to /usr/vice/etc, and we use LDAP as the backend. Our methods file looks like this: LDAP: program = /usr/lib/security/LDAP program_64 =/usr/lib/security/LDAP64 KRB5: program = /usr/lib/security/KRB5 program_64 = /usr/lib/security/KRB5_64 options = authonly,kadmind=no KRB5LDAP: options = db=LDAP,auth=KRB5 K5AFS: program = /usr/vice/etc/aklog_dynamic_auth options = authonly Our user entries look like this: USERID: SYSTEM = "(KRB5LDAP[SUCCESS] and K5AFS) OR KRB5LDAP" registry = KRB5LDAP If you don't use LDAP, then the options = db=LDAP and KRB5LDAP will be different. Hope this helps. _ "This message and any attachments are solely for the intended recipient and may contain confidential or privileged information. If you are not the intended recipient, any disclosure, copying, use, or distribution of the information included in this message and any attachments is prohibited. If you have received this communication in error, please notify us by reply e-mail and immediately and permanently delete this message and any attachments. Thank you." _ ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info