subject:"Re\: \[OpenAFS\] AIX 5.3 and aklog_dynamic

Re: [OpenAFS] AIX 5.3 and aklog_dynamic_auth fail

2009-06-22 Thread Remi Ferrand

Thanks for your help.

It did the trick ;-)

-- 
Remi Ferrand | Institut National de Physique Nucleaire
Tel. +33(0)4.78.93.08.80 | et de Physique des Particules
Fax. +33(0)4.72.69.41.70 | Centre de Calcul - http://cc.in2p3.fr/


On Fri, 2009-06-19 at 07:47 -0600, Karen Eldredge wrote:
> We moved both the aklog and aklog_dynamic_auth to /usr/vice/etc, and we use
> LDAP as the backend.
> 
> Our methods file looks like this:
> 
> LDAP:
> program = /usr/lib/security/LDAP
> program_64 =/usr/lib/security/LDAP64
> 
> KRB5:
> program = /usr/lib/security/KRB5
> program_64 = /usr/lib/security/KRB5_64
> options = authonly,kadmind=no
> 
> KRB5LDAP:
> options = db=LDAP,auth=KRB5
> 
> K5AFS:
> program = /usr/vice/etc/aklog_dynamic_auth
> options = authonly
> 
> Our user entries look like this:
> 
> USERID:
> SYSTEM = "(KRB5LDAP[SUCCESS] and K5AFS) OR KRB5LDAP"
> registry = KRB5LDAP
> 
> 
> If you don't use LDAP, then the options = db=LDAP and KRB5LDAP will be
> different.  Hope this helps.
[...]


___
OpenAFS-info mailing list
OpenAFS-info@openafs.org
https://lists.openafs.org/mailman/listinfo/openafs-info

Re: [OpenAFS] AIX 5.3 and aklog_dynamic_auth fail

2009-06-19 Thread Mike Garrison


On Jun 19, 2009, at 5:17 AM, Remi Ferrand wrote:


However I still have the same error when an ssh connection is tried :

(from AFS AIX client machine)
Jun 19 11:09:59 ccdvrs03 auth|security:debug sshd[385070]: LAM aklog
loaded: uid 0 pag -1
Jun 19 11:09:59 ccdvrs03 auth|security:debug sshd[385070]: LAM aklog
starting: user testkrb5 uid 0
Jun 19 11:09:59 ccdvrs03 auth|security:err|error sshd[385070]: LAM
aklog: get_credv5 returns -1765328352
Jun 19 11:09:59 ccdvrs03 auth|security:info sshd[385070]: Failed
password for USERTEST from 134.158.71.108 port 48307 ssh2
Jun 19 11:09:59 ccdvrs03 auth|security:info syslog: ssh: failed login
attempt for USERTEST from .Y.fr

(From my KDCs logs)
Jun 19 11:14:29 cckrb01.in2p3.fr krb5kdc[26295](info): TGS_REQ (1  
etypes

{1}) 134.158.105.107: PROCESS_TGS: authtime 0,   for
afs/test.in2p3...@test.in2p3.fr, Ticket expired
Jun 19 11:14:29 cckrb01.in2p3.fr krb5kdc[26295](info): TGS_REQ (1  
etypes

{1}) 134.158.105.107: PROCESS_TGS: authtime 0,   for
afs/test.in2p3...@test.in2p3.fr, Ticket expired


If those are the matching log entries, I'd suggest checking the clock  
on both machines.. 11:09:59 vs 11:14:29 is enough of a time difference  
to cause issues.


If I set my clock to be 4m 30s behind, I get 'ticket expired' versus  
'clock skew too great'.


--
Mike Garrison
___
OpenAFS-info mailing list
OpenAFS-info@openafs.org
https://lists.openafs.org/mailman/listinfo/openafs-info

Re: [OpenAFS] AIX 5.3 and aklog_dynamic_auth fail

2009-06-19 Thread Derrick Brashear

On Fri, Jun 19, 2009 at 5:17 AM, Remi Ferrand wrote:

> Hye everyone,
>
> I'm working on AIX 5.3, with OpenAFS v1.4.10 / AIX NAS Kerberos 5.
>
> My AFS cell is online and functionnal with Kerberos 5 (kinit + aklog OR
> klog.krb5 works fine). I can obtain a Kerberos 5 ticket and extract an
> AFS Token from it without any problem.
>
> I'm now trying to obtain an AFS token as soon as I "ssh" into my AFS
> client.
> I could find a ChangeLog saying that AIX LAM Module "aklog_dynamic_auth"
> is now fully functionnal
> (http://www.openafs.org/frameset/dl/openafs/1.4.10/ChangeLog ) and could
> do this stuff.
>
> The LAM compilation plugin went fine (no error).
> When I re-start my SSH daemon, LAM plugin is correctly loaded.
>
> However I still have the same error when an ssh connection is tried :
>
> (from AFS AIX client machine)
> Jun 19 11:09:59 ccdvrs03 auth|security:debug sshd[385070]: LAM aklog
> loaded: uid 0 pag -1
> Jun 19 11:09:59 ccdvrs03 auth|security:debug sshd[385070]: LAM aklog
> starting: user testkrb5 uid 0
> Jun 19 11:09:59 ccdvrs03 auth|security:err|error sshd[385070]: LAM
> aklog: get_credv5 returns -1765328352


#define KRB5KRB_AP_ERR_TKT_EXPIRED   (-1765328352L)

Your configs below don't appear to actually get a ticket, they just try to
aklog.

Re: [OpenAFS] AIX 5.3 and aklog_dynamic_auth fail

2009-06-19 Thread Karen Eldredge

We moved both the aklog and aklog_dynamic_auth to /usr/vice/etc, and we use
LDAP as the backend.

Our methods file looks like this:

LDAP:
program = /usr/lib/security/LDAP
program_64 =/usr/lib/security/LDAP64

KRB5:
program = /usr/lib/security/KRB5
program_64 = /usr/lib/security/KRB5_64
options = authonly,kadmind=no

KRB5LDAP:
options = db=LDAP,auth=KRB5

K5AFS:
program = /usr/vice/etc/aklog_dynamic_auth
options = authonly

Our user entries look like this:

USERID:
SYSTEM = "(KRB5LDAP[SUCCESS] and K5AFS) OR KRB5LDAP"
registry = KRB5LDAP


If you don't use LDAP, then the options = db=LDAP and KRB5LDAP will be
different.  Hope this helps.



_
"This message and any attachments are solely for the intended recipient and may 
contain confidential or privileged information. If you are not the intended 
recipient, any disclosure, copying, use, or distribution of the information 
included in this message and any attachments is prohibited. If you have 
received this communication in error, please notify us by reply e-mail and 
immediately and permanently delete this message and any attachments. Thank 
you." 
_
___
OpenAFS-info mailing list
OpenAFS-info@openafs.org
https://lists.openafs.org/mailman/listinfo/openafs-info

Re: [OpenAFS] AIX 5.3 and aklog_dynamic_auth fail

Re: [OpenAFS] AIX 5.3 and aklog_dynamic_auth fail

Re: [OpenAFS] AIX 5.3 and aklog_dynamic_auth fail

Re: [OpenAFS] AIX 5.3 and aklog_dynamic_auth fail

4 matches

Site Navigation

Mail list logo

Footer information