On Mon, Jul 29, 2019 at 12:47:35PM +0800, huangql wrote: > Dear all, > > I'm stuck with the ticket cache file permission incorrect after users login > farm with Pam module. In this case, users failed to run "kpasswd", "klist" > command with the following error. > > kpasswd: Credentials cache permissions incorrect getting principal from ccache
That sounds like an issue at the Kerberos or PAM (configuration) layer; asking on kerbe...@mit.edu might be more likely to reach the right people. -Ben > klist: Credentials cache permissions incorrect while setting cache flags > (ticket cache FILE:/tmp/krb5cc_60037_1BdT0m) > > > I found the error caused by the incorrect permission of ticket file(all the > personal ticket file with the root uid but right gid ). > > For example: > > -rw------- 1 root u07 469 Jul 29 10:00 /tmp/krb5cc_60037_1BdT0m > > And this issue happens in Scientific Linux 6 not in Scientific Linux 7. > > I attached the pam.d configuration: > > > [root@lxslc613 ~]# vi /etc/pam.d/system-auth-ac > #%PAM-1.0 > # This file is auto-generated. > # User changes will be destroyed the next time authconfig is run. > auth sufficient pam_krb5.so try_first_pass > auth optional pam_afs_session.so program=/usr/bin/aklog > auth required pam_env.so > auth sufficient pam_fprintd.so > auth requisite pam_succeed_if.so uid >= 500 quiet > auth required pam_deny.so > > account sufficient pam_krb5.so > account required pam_unix.so > account sufficient pam_localuser.so > account sufficient pam_succeed_if.so uid < 500 quiet > account required pam_permit.so > > password sufficient pam_krb5.so use_first_pass > password requisite pam_cracklib.so try_first_pass retry=3 type= > password sufficient pam_unix.so sha512 shadow nullok try_first_pass > use_authtok > password required pam_deny.so > > session required pam_unix.so > session optional pam_krb5.so > session optional pam_afs_session.so program=/usr/bin/aklog > session optional pam_keyinit.so revoke > session required pam_limits.so > session [success=1 default=ignore] pam_succeed_if.so service in crond > quiet use_uid > ~ > > > [root@lxslc613 ~]# vi /etc/pam.d/password-auth-ac > #%PAM-1.0 > # This file is auto-generated. > # User changes will be destroyed the next time authconfig is run. > auth sufficient pam_krb5.so try_first_pass > auth optional pam_afs_session.so program=/usr/bin/aklog > > auth required pam_env.so > auth sufficient pam_unix.so nullok try_first_pass > auth requisite pam_succeed_if.so uid >= 500 quiet > auth required pam_deny.so > > account sufficient pam_krb5.so > account required pam_unix.so > account sufficient pam_localuser.so > account sufficient pam_succeed_if.so uid < 500 quiet > account required pam_permit.so > > password requisite pam_cracklib.so try_first_pass retry=3 type= > password sufficient pam_unix.so sha512 shadow nullok try_first_pass > use_authtok > password required pam_deny.so > > session optional pam_krb5.so > session optional pam_afs_session.so program=/usr/bin/aklog > session optional pam_keyinit.so revoke > session required pam_limits.so > session [success=1 default=ignore] pam_succeed_if.so service in crond > quiet use_uid > session required pam_unix.so > > > Does anyone know about this issue and give me some clues? Any suggestions > would be greatly appreciated. Many thanks. > > Regards, > Qiulan > > > huangql > ==================================================================== > Computing center,the Institute of High Energy Physics, CAS, China > Qiulan Huang Tel: (+86) 10 8823 6087 > P.O. Box 918-7 Fax: (+86) 10 8823 6839 > Beijing 100049 P.R. China Email: huan...@ihep.ac.cn > =================================================================== _______________________________________________ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info