pam_krb5afs.so not getting token on login. Details Trying to get a new RH 7.3 box setup in our environment. Here is the background. We use KRB5 for Authentication, LDAP for user info, AFS for file services and SSH for remote access. Trying to get a new IMAP server up and running.. Here are the packages loaded for AFS, KRB5 and SSH: [root@imap1 root]# rpm -qa | grep -i afs openafs-kernel-1.2.5-rh7.3.1 krbafs-utils-1.1.1-1 krbafs-1.1.1-1 openafs-1.2.5-rh7.3.1 openafs-client-1.2.5-rh7.3.1 openafs-kernel-source-1.2.5-rh7.3.1 krbafs-devel-1.1.1-1 openafs-krb5-1.2.5-rh7.3.1 [root@imap1 root]# rpm -qa | grep -i krb pam_krb5-1.55-1 krb5-libs-1.2.4-1 krb5-devel-1.2.4-1 krb5-workstation-1.2.4-1 [root@imap1 root]# rpm -qa | grep -i ssh openssh-3.1p1-6 openssh-clients-3.1p1-6 openssh-server-3.1p1-6 [root@imap1 root]# rpm -qa | grep -i kernel kernel-2.4.18-5 kernel-smp-2.4.18-5 kernel-source-2.4.18-5 Now I had to recompile the kernel module for AFS since I am using the 18-5 and the AFS rpm was only compiled for 18-3. Here is my pam.d/system-auth... I have not modified any other pam.d config files. #%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. auth required /lib/security/pam_env.so auth sufficient /lib/security/pam_unix.so likeauth nullok auth sufficient /lib/security/pam_krb5afs.so use_first_pass debug auth required /lib/security/pam_deny.so account required /lib/security/pam_unix.so account [default=bad success=ok user_unknown=ignore service_err=ignore system_err=ignore] /lib/security/pam_krb5afs.so debug password required /lib/security/pam_cracklib.so retry=3 type= password sufficient /lib/security/pam_unix.so nullok use_authtok md5 shadow password sufficient /lib/security/pam_krb5afs.so use_authtok debug password required /lib/security/pam_deny.so session required /lib/security/pam_limits.so session required /lib/security/pam_unix.so session optional /lib/security/pam_krb5afs.so debug Only thing I have done is add the debug option... And here is the pam section of my krb5.conf: [appdefaults] pam = { debug = true ticket_lifetime = 36000 renew_lifetime = 36000 forwardable = true krb4_convert = true afs_cells = rose-hulman.edu max_timeout = 30 timeout_shift = 2 initial_timeout = 1 } And last, my nsswitch.conf for user info: passwd: files ldap shadow: files ldap group: files ldap Now.. If I try to login as a normal use via SSH... I get authenticated.. User info is found via ldap..... Only thing that does not happen is a token for the cell is not obtained. After login I can do a aklog and all is fine... So the underlining pieces are there.. The debug output from syslog looks good for the KRB5 part, but with the AFS here as some parts that don't look right... If you want the whole thing let me know.. The KRB4 items seem to be messed up.... Aug 5 09:06:46 imap1 sshd[1617]: pam_krb5afs: `mdbaker' has uid 10775, gid 20 Aug 5 09:06:46 imap1 sshd[1617]: pam_krb5afs: attempting to authenticate `mdbaker' Aug 5 09:06:46 imap1 sshd[1617]: pam_krb5afs: get_int_tkt returned Success Aug 5 09:06:46 imap1 sshd[1617]: pam_krb5afs: authentication succeeds for `mdbaker' Aug 5 09:06:46 imap1 sshd[1617]: pam_krb5afs: credentials saved for `mdbaker' Aug 5 09:06:46 imap1 sshd[1617]: pam_krb5afs: ciphertext length in TGT = 128 Aug 5 09:06:46 imap1 sshd[1617]: pam_krb5afs: service name in v4 TGT too long: ñÒ^C.«§\231Ð Aug 5 09:06:46 imap1 sshd[1617]: pam_krb5afs: Got v4 TGT for `@' Aug 5 09:06:46 imap1 sshd[1617]: pam_krb5afs: Got 185 extra bytes in v4 TGT Aug 5 09:06:46 imap1 sshd[1617]: pam_krb5afs: Extra data = ^S#@p^L ^H Aug 5 09:06:46 imap1 sshd[1617]: pam_krb5afs: Extra data = "@¨åÿ¿\2265 Aug 5 09:06:46 imap1 sshd[1617]: pam_krb5afs: saved return code (0) for later use Seems to be reading the config info properly... that is the correct cell: Aug 5 09:06:46 imap1 sshd[1617]: pam_krb5afs: Creating a ticket with addresses Aug 5 09:06:46 imap1 sshd[1617]: pam_krb5afs: krb4_convert true Aug 5 09:06:46 imap1 sshd[1617]: pam_krb5afs: will afslog to cells `rose-hulman.edu' Aug 5 09:06:46 imap1 sshd[1617]: pam_krb5afs: will afslog to cell `rose-hulman.edu' Here is a part this I think is not working... The afslog() is returning a 79.... Don't know what that means.... Aug 5 09:06:46 imap1 sshd[1617]: pam_krb5afs: credentials retrieved Aug 5 09:06:46 imap1 sshd[1617]: pam_krb5afs: KRB5CCNAME=FILE:/tmp/krb5cc_10775_5XiAw1 Aug 5 09:06:46 imap1 sshd[1617]: pam_krb5afs: opening ticket file `/tmp/tkt10775_S1vjOS' Aug 5 09:06:46 imap1 sshd[1617]: pam_krb5afs: save v4 creds (@:171), 46 Aug 5 09:06:46 imap1 sshd[1617]: pam_krb5afs: KRBTKFILE=/tmp/tkt10775_S1vjOS Aug 5 09:06:46 imap1 sshd[1617]: pam_krb5afs: k_setpag() Aug 5 09:06:46 imap1 sshd[1617]: pam_krb5afs: k_setpag() returned 0 Aug 5 09:06:46 imap1 sshd[1617]: pam_krb5afs: afslog() to cell `rose-hulman.edu' Aug 5 09:06:46 imap1 sshd[1617]: pam_krb5afs: afslog() returned 79 Then I am in the system... But I can't access my home dir since it is in AFS space and I have no token... If I use aklog then I get a token and all worked well.. But since this is going to be an IMAP server, and the "login" will be via IMAP.. I need the token to be obtained during the authentication process... Any help would be appreciated... Thanks See-ya Mitch -- /####################################################################/ /# Mitchell "Buzz" Baker "To Infinity And Beyond..." #/ /# Sr. Systems/Security Admin Rose-Hulman Institute of Technology #/ /# Mitchell.D.Baker@rose-hulman.edu www.rose-hulman.edu #/ /# For PGP Public key, check out www.keyserver.net #/ /####################################################################/